NASA Contractor Report 189698 


Formal Design Specification of a Processor 
Interface Unit 


David A Fura 

Boeing Defense & Space Group 
Seattle, Washington 

Phillip J. Windley 
University of Idaho 
Moscow, Idaho 

G. C. Cohen 

Boeing Defense & Space Group 
Seattle, Washington 


NASA Contract NASI -18586 
November 1992 


NASA 

National Aeronautics and 

Space Administration (UASA-CR-1 ‘>^69 J) FOkMAL OS SIGN 

Langley Research Center SPt-C IFICAT ION uF A PROCESSOR 

Hampton, Virginia 23665-5525 ICTfRfACt UNIT (Roeirvj Military 

Airplane Povol opr, lent ) £ * 0 -3 — q. 


N9 3-1 2 5 3-3 


Unci as 





Preface 


This document was generated in support of NASA contract NAS 1-1 8586, Design and V alidation of Digital 
Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 9. Task 9 is concerned 
with the formal specification of a processor interface unit 

This report describes the formal specification of the design for a processor interface unit using the HOL 
methodology. The processor interface unit is a single-chip subsystem within a fault-tolerant embedded sys- 
tem under development at the Boeing High Technology Center. It provides the opportunity to investigate 
the specification and verification of a real-world component within a commercially-developed fault-tolerant 
computer. 

The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center, Hamp- 
ton, Virginia. 

The work was accomplished at the Boeing Company, Seattle, Washington and the University of Idaho, 
Moscow, Idaho. Personnel responsible for the work include: 

Boeing Military Airplanes: 

D. Gangsaas, Responsible Manager 
T. M. Richardson, Program Manager 

Boeing High Technology Center: 

Gerald C. Cohen, Principal Investigator 
David A. Fura, Researcher 

University of Idaho: 

Dr. Phillip J. Windley, Chief Researcher 




11 



Contents 


1 


Introduction 

1.1 Informal PIU Description 

1.1.1 PMM Initialization 

1.1.2 CPU Accesses to Memory 

1 . 1 .2. 1 To Local Memory 

1 . 1 .2.2 To Internal Register File 

1.1. 2.3 To the C_Biis 


1.1.3 C_Bus Accesses to Memory 

1.1.4 Timers and Interrupts 

1.2 Specification Overview 


1 

1 

3 

4 

4 

5 

6 
6 
6 
6 


2 Generic Interpreter Theory 

2.1 Introduction 

2.2 Formal Microprocessor Modeling 

2.2. 1 Microprocessor Specification 

2.2.2 Microprocessor Verification 

2.3 A Formal Model of Interpreters 

2.3. 1 Abstract Theories 

2.3.2 Temporal Abstraction 

2.3.3 The Abstract Representation 

2.3.4 The Theory Obligations 

2.3.5 Abstract Theorems 

2.3.5. 1 Defining the Interpreter 

2.3.5.2 Induction on Interpreters 

2.3.5.3 The Implementation is Live 

2.3.5.4 The Correctness Statement 

2.3.5. 5 Composing Interpreters Hierarchically 

2.4 Parallel Composition 

2.5 Conclusion 


9 

9 

9 

9 
10 

10 
10 
12 
12 

14 

15 
15 

15 

16 
16 
17 
17 
17 


3 Design Specification 

3.1 Gate-ievel Structure 

3.1.1 Component Descriptions 

3. 1.1.1 Combinational Logic .. 

3. 1.1.2 Latches 

3. 1.1.3 Flip-Flops 

3.1. 1.4 Counters 

3.1. 1.5 CTR Datapath Block .. 

3.1. 1.6 ICR Datapath Block ... 

3. 1.1.7 CR Datapath Block .... 

3.1. 1.8 SR Datapath Block 

3.1. 1.9 Finite-State Machines 

3.1.2 Block Diagram Descriptions .... 

3.1.2.1 P_Port Structure 

3. 1.2.2 M_Port Structure 

3.1. 2.3 R_Port Structure 

3. 1.2.4 C_Port Structure 


19 

19 

19 

19 

20 
22 
23 
23 

25 

26 
26 
26 

27 

28 
29 
32 
34 


PRECEDING PAGE BLANK NOT FILMED 


iii 


lima&touu awa* 



3. 1.2.5 SU_Cont Structure 38 

3.2 Port Phase-Level Behavior 39 

3.3 Port Clock-Level Behavior 40 

3.4 PIU Port-Level Structure 40 

3.5 PIU Clock-Level Behavior 41 

4 Models for Transaction Specification 42 

4.1 Introduction 42 

4.2 Abstract Views 43 

4.3 Representing Transaction Systems 45 

4.4 Preliminary Transaction Model Design 47 

4.4. 1 The Transaction Model 47 

4.4. 1.1 Ports 48 

4.4. 1.2 State 48 

4.4. 1.3 Transactions 48 

4.4. 1.4 Operation 48 

4.4.2 Development Plan and Comments 48 

4.5 Conclusions 49 

5 Towards an Integrated Simulation/Verification Environment 50 

5.1 New Datatypes in HOL 50 

5.1.1 Arrays 50 

5.1.2 N-Bit Words 51 

5.2 An Example in M 5 1 

5.3 An Example in HOL 53 

6 Conclusions 54 

7 References 56 

A ML Source for Component Specifications 58 

B ML Source for the Gate-Level Specification of the PIU Ports 80 

B.l P Port Specification 80 

B.2 M Port Specification 86 

B.3 R Port Specification 94 

B.4 C Port Specification 1 03 

B. 5 SU_Cont Specification • 1 14 

C ML Source for the Phase-Level Specification of the PIU Ports 121 

C. l P Port Specification 121 

C.2 M Port Specification 1 28 

C.3 R Port Specification 136 

C.4 C Port Specification 151 

C. 5 SU_Cont Specification 173 

D ML Source for the Clock-Level Specification of the PIU Ports 182 

D. 1 P Port Specification 1 82 

D.2 M Port Specification 186 

D.3 R Port Specification 190 


iv 


ti 



E 

F 


D.4 C Port Specification 

D.5 SILCont Specification 

ML Source for the PIU Block-Level Specification 

ML Source for the PIU Clock-Level Specification 


.198 

.209 

.215 

.219 


v 



VI 



List of Figures 


1.1 
1.2 
1 ' X 

Block Diagram of the Processor-Memory Module (PMM) 

Major Blocks of the Processor Interface Unit (PIU) 

2 

3 

7 


A UiAforrhv rtf IntpmrpfprQ 

11 

L. 1 

TKa Tfltmvxrol A KcffO pfirtrt FiiflPtioflC IT* finH lr 

12 

L.L 

J.HG IClllUUlol AUMloUiUH ruilUJUUo i (Uiu u 


1 1 


21 

3.1 
1 0 

1 WO OCllCo LdlUlCo U1UULCU Ujr UK douk * uoot/ 

InfArvol PpnrpcpntQtinnc 

22 

j>Z 

3.3 

-1 A 

Hvomnlp TO Plin Firm PonctnirtPil With T .fltr.hftS 

23 

Uutipftnnal Ulnr*l r T"liam*am rtf 51 Prtlintpf 

24 

3.4 


24 

3.5 

runcuonai diock u i dgrdiii 01 uic uoiapaui 

25 

3.0 

runcuonai diock oidgraiu ui uic tv^iv uauxyain 

26 

3. / 
*1 o 

runcuonai DIOCK Ulagldlll Ol UIC V->iv uauii/auj 

27 

3.o 

1 Q 

runcuonai diock uidgram ui uic da uaiojjaui uiuc& 

27 

3.V 
7 in 

runcuonai diock uidgidiii iui muic duhc * 

D Dnrt Tnn T avaI RlnrV Ut^orJim 

28 

j.IU 


29 

3.1 1 


30 

dAL 

110 

w p/\«4 Tr>f% T pvpl Rlnrlf Diagram 

30 

3.13 
1 1 A 

Rlrt^V niaoram nf thp M Port T")atanath 

31 

3. 14 

1 ic 

Dlrtrtlr niortrom rtf thp K4 Port C flfltTOllPr 

32 

3.15 
1 1 A 

d Prtrt Trtrt I avpI Rlnrk Hiiitfram 

33 

3.10 
1 n 

RIapIt niottroiri rtf Ppoictpf Rip f^ontrollfir 

33 

3.1/ 
1 1 Q 

OiafYrnm nf thp Timpr Intpmint RlfiHf 

34 

3. lo 

1 1 0 

PlnnU OiQtrrQfti rtf thp Ppoicfpf lflt<*miOt RlOflc 

34 

3.1V 
i on 

DlvvK Uldgl dill Ol UiC IxCgldlCi IIIlVllUpL LIlVIvA 

P Dnrt Trtn_I <*vp 1 Rlrtrlf DlJUfTfllTI 

35 

'.ZU 
1 01 

Rirtpt niaofflm nf thp f 1 Port Datapath 

35 

3.Z 1 
1 00 

Ri/vlr TMoorom rtf thp C Port f^ontrollpr /Part 

36 

3.ZZ 
1 01 

RlrtrtV Piiacrram rtf thp C Port f^ontrollpr /Part 

37 

3.Z3 

3.24 

DIOCK UiagrdlU Ol UIC c_ruil c^uuuunci ^roa v) 

D1/\nb TMnm>nm rvf tKa Ctorhm Pnnffrtllpr PTT T_Pnft IlltP.rfflPP. - 

38 

DIOCK Uiagram Ol UIC ouUlup V^UlluLUlci nu run 

Dlnnb Diam-om nf tha Ctortiin Prtntrrtllpf PPT T Intprfarft 

39 

3.Z5 

diock uiagram 01 me otariup cuuuuuci cru 


4 1 

TKp vja«/ ■from thp f^PIT 

43 

4. 1 
A 0 

Vipu; from thp Mpmnrv 

44 

4.X 
A 1 

Vtau7 from thp Nptu/nrk 

44 

4J 
A A 

Ahctraotion \/ip\i/C for thp PITT 

45 

4.4 

4.5 

Modeling the Buses in a Computer System using Tuple Space 

47 


vii 


PRECEDING PAGE BLANK NOT FILMED 



VU1 


a 



List of Tables 


1 . 1 R_Port Register Definitions 

2. 1 The abstract functions and their types for the generic interpreter model 


PRECEDING PAGE BLANK NOT FILMED 







X 



1 Introduction 


This report describes work to formally specify the requirements and design of a processor interface unit 
(PIU), a single-chip subsystem providing memory-interface, bus-interface, and additional support services 
for a commercial microprocessor within a fault-tolerant computer system. This system, the Fault-Tblerant 
Embedded Processor (FTEP), is targeted towards applications in avionics and space requiring extremely 
high levels of mission reliability, extended maintenance-free operation, or both. The need for high-quality 
design assurance in such applications is an undisputed fact, given the disastrous consequences that even a 
single design flaw can produce. Thus, the further development and application of formal methods to fault- 
tolerant systems is of critical importance as these systems see increasing use in modern society. 

The work described in this report is but a first step towards developing a provably correct fault-tolerant 
computing platform for application to real commercial and military systems. Beyond the PIU verification 
task that follows this work, future formal methods targets include at least two additional application-specific 
integrated circuits (ASICs) and the operating system software for the FTEP system. It is expected that the 
lessons learned in this PIU effort will influence the future design and modeling of these components to facil- 
itate their subsequent verification. 

This report contains five major sections following this introduction, as well as several appendices con- 
taining the PIU design specification in its full detail. Section 2 describes the generic interpreter theory used 
to formally specify portions of the PIU design. This theory builds on previous NASA-funded work 
described in [Win90], with important extensions in the handling of interpreter outputs to support subsystem 
composition. 

Section 3 explains the PIU design specification at a high level to facilitate the understanding of the for- 
mal models contained in the appendices. The specification itself was written using the HOL theorem-prov- 
ing system developed at the University of Cambridge, England [Gor88]. 

Section 4 describes our progress in developing a transaction-based modeling approach for specifying 
the PIU requirements. A number of modeling candidates were investigated and a preferred approach was 
identified for formalization in HOL. 

Section 5 describes our initial efforts at integrating our hardware design and verification environments 
into a single framework. A prototype M-to-HOL translator was developed and was used to translate the PIU 
behavioral specifications initially written in the simulation language M. 

Section 6 contains a concluding discussion. 

Before leaving this section, we first present an informal description of the PIU, including both its struc- 
ture and an overview of its behavior. Following this we introduce the specification hierarchy developed for 
the PIU. 

1.1 Informal PIU Description 

The PIU is a single-chip subsystem providing memory-interface, bus-interface, and additional support 
services within the Processor-Memory Module (PMM) of the FTEP system. The PIU s position within the 
PMM structure is shown in Figure 1.1. A PMM, itself a single block within an FTEP Core, interconnects 
three internal PMM subsystems: the local processors, the local memory, and the Core Bus (C_Bus) inter- 
face. 

The PMM processors (CPUO and CPU1) are arranged in a cold-sparing configuration to enhance long- 
life operation. Only one processor is active during a given mission, with the choice of active processor deter- 
mined during initialization. The spare processor is disabled by the PIU through assertion of the processor s 
cpu_reset input. For the first implementation of the PMM, described in this report, Intel 80960MC micro- 
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processors are used for the local processors. They communicate with the PIU using the L_Bus bus protocol 
of the 80960. 

Processor programs and data are stored in local electrically-erasable programmable read-only memory 
(EEPROM) and static random access memory (SRAM), respectively. Memory accesses are initiated by 
either the local processor or an external block acting as C_Bus master. In either case the PIU provides the 
memory interface. The features provided by the PIU include memory error correction, memory locking to 
implement atomic read-modify-write operations, byte accesses, and block accesses of up to 64 words. 
EEPROM and SRAM memory capacity in the first implementation is 1 MB (megabyte) of actual informa- 
tion storage each, implemented within seven 256Kx8-bit memory chips each. A (7,4) Hamming code pro- 
vides single-bit error correction on memory reads. 

The PIU also provides processor support features such as timers and interrupt control. TWo 64-bit timers 
can be set by the processor to provide either timekeeping or watchdog functions. Processor interrupts are 
generated within the PIU under two conditions. One condition is a timer time-out; the other is a write oper- 
ation to a specially designated PIU register by either the local processor or C_Bus master. 

The reset and clock signals shown at the top of Figure 1 .1 are produced by the Fault-Tblerant Clock Unit 
(FTCU) not shown here. The pmm_reset signal is sent only to the PIU to allow it greater control over the 
local processors. For example, the PIU uses this signal to enter its initialization mode, during which it acti- 
vates the processor reset signals. All of the PIU input signals produced by the FTCU are synchronized with 
those in the PIUs in redundant PMMs of a fault-tolerant FTEP core. 

The structure of the PIU itself is shown in Figure 1.2. The Processor Port (P_Port), C_Bus Port 
(C_Port), and Memory Port (M_Port) implement the communication protocols for the L_Bus, C_Bus, and 
M_Bus, respectively. The M_Port also implements (7,4) Hamming encoding and decoding on writes and 
reads, respectively, to the local memory, and the C_Port implements single-bit parity encoding and decoding 
for C_Bus transfers. 
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Figure 1.1: Block Diagram of the Processor-Memory Module (PMM). 
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The Register Port (R_Port) is the fourth, and final, port residing on the PIU’s Internal Bus (I_Bus). It 
contains a state machine, counters, and various command and status registers used by the local processor to 
implement timers and interrupts. 

The Start-up Controller (SU_Cont) implements the PMM initialization sequence. After it has concluded 
initialization, control is turned over to the other ports with the SU_Cont continuing operation in a back- 
ground mode. The SU_Cont is not physically located on the I_Bus, however, for convenience, we will 
sometimes refer to it as one of the five PIU ports. 

Behaviorally, the PIU functionality can be divided into four categories: (1) PMM initialization, (2) 
local-processor memory accesses, (3) C_Bus memory accesses, and (4) timers and interrupts. 

1.1.1 PMM Initialization 

The PIU controls the PMM initialization sequence. After receiving a synchronous pmm_reset signal 
from the FTCU, the PIU initiates the testing of the two local processors (or CPUs). Based on the test results, 
the PIU selects one of the CPUs to be active for the upcoming mission, while at the same time isolating the 



Figure 1 2 : Major Blocks of the Processor Interface Unit (PIU). 
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other CPU. During the initialization, the PIU also maintains the inter-PMM synchronization that is initially 
established by the FTCUs. 

The PIU initiates CPU self-test via the CPU reset signals that it controls. Tb begin the initialization 
sequence, the PIU resets CPUO, which then goes through a two-phase (Intel 80960) testing process of its 
own. In die first phase the CPU executes a 47,000-cycle self-test procedure; in the second phase the CPU 
reads the first eight words of local memory (via the PIU) and performs a check-sum test. If either of these 
tests fail, then the CPU’s failureO_ pin remains asserted, otherwise it is deasserted. 

After the CPU self-test is completed, the CPU executes a software-based test using a program and the 
prior-mission fault status stored in local memory. At preselected points in this program the CPU updates 
PIU registers in a prespecified manner. At the end of this program, the PIU compares the modified PIU reg- 
ister values against their expected values. Tliis acceptance test is the final major test of CPU functionality 
during initialization. 

At the same time that CPUO is being tested, the PIU isolates CPU1 by asserting its cpuljreset input. 
Once the testing of CPUO is completed, the roles are reversed. After both CPUs have been tested, the PIU 
selects one to be active for the upcoming mission. The selection algorithm makes use of the CPU failure 
signal outputs and the acceptance-test results: if CPUO is ok then it is selected, otherwise if CPU 1 is ok then 
it is selected, otherwise neither one is selected. Once the selection is made, the selected CPU is reset again 
and begins normal operation. The PIU isolates the other CPU by keeping its reset active. 

An important PIU requirement is to maintain clock-level synchronization between redundant PMMs, 
yet accommodate possible nondeterminism within the PMM initialization sequences. Before the PMM ini- 
tialization begins, the redundant PMM clocks are synchronized by the FTCUs, and pmmjreset signals are 
delivered to the PIUs synchronously across all PMMs. Synchronization is maintained by establishing max- 
imum timp durations for each phase of the initialization and having each PMM use the entire duration. The 
PIUs enforce these phase boundaries and thus guarantee that each PMM leaves its initialization on precisely 
the same clock cycle. 

1.1.2 CPU Accesses to Memory 

The PIU controls CPU reads and writes to the local memory, the internal PIU registers, and global mem- 
ory. 


1. 1.2.1 To Local Memory 

The PIU implements error-correction code (ECC) encoding and decoding and supports atomic memory 
operations, byte accesses, and 2-, 3-, and 4-word block transfers. 

On writes to the local memory, the PIU encodes the 32-bit data words using a single-error-correction 
(7,4) Hamming code. The 56-bit encoded words are stored such that each 7-bit word (there are eight of 
these) is spread among the seven 256Kx8-bit memory chips. On reads, the decoding process implemented 
within the PIU masks all faults affecting one of the seven bits of each code word. Entire memory-chip fail- 
ures are thus handled. 

Atomic memory accesses, the atomic add and atomic modify instructions of the Intel 80960 instruction 
set, are supported by the PIU. During these operations the PIU prevents the C_Bus from gaining access to 
the local memory. The PIU uses the lock signal provided by the CPU during these operations. 

Byte accesses to the local memory are supported by the PIU. Reads are implemented in a straightfor- 
ward way. Writes are implemented using a read-modify-write operation that reencodes the entire 32-bit data 
word. 

Byte accesses of up to four words are also supported to implement cache refilling within the CPU. 
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1 . 12.2 To Internal Register File 

The PIU supports atomic accesses and 2-, 3-, and 4-word block transfers to and from its internal regis- 
ters within the R_Port Byte accesses are not supported, nor is the data encoded before being stored. Tbble 
1.1 shows the R_Port register definitions. 

The Interrupt Control Register (ICR) supports memory-mapped interrupts to the local processor. The 
register is divided into four fields. The first two contain the interrupt settings and mask bits for intO_, in bits 
0 through 7 and 8 through 15, respectively. A logic-1 in both a set location and the associated mask location 
signifies an active interrupt, which if enabled (external to the R_Port) will generate an active intO_ signal to 
the processor. Bits 16 through 31 are used in a corresponding way for int3_. 

The ICR contents are updated in two different ways. A write to register address 0 implements a logical- 
AND operation on the new value and the old register contents, while a write to address 1 implements a log- 
ical-OR operatioa These two operations implement the resetting and setting of register bits, respectively. A 
read to either of these addresses returns the current register value. 

The General Control Register (GCR) and Communication Control Register (CCR) provide control bits 
to the internal PIU and the C_Bus, respectively. The GCR bits include the start-up software counter enable 
(used for the acceptance test discussed earlier), R_Port counter configuration control bits, and parity-error- 
latch reset bits. The CCR contains the message header for the next C_Bus transaction. Either of these reg- 
isters can be written to or read from by the local processor. 

The Status Register (SR) holds status information produced internally to the PIU. This includes start- 
up error-detection status, local-memory and C_Bus error-detection status, start-up controller state, and the 
last C_Bus slave-status report This register is read-only. 

Register addresses 8 through 11 are used to load new counter values to the 32-bit counters 0 through 3, 
respectively. These load values can be read by the local processor using the same addresses. Register 
addr ess 12 through 15 are read-only locations containing the current value of the four counters. 

The four counters are combined to form two 64-bit counters which can be configured in a variety of 
ways via control bits in the GCR. The choices include enabled vs. disabled counting, enabled vs. disabled 
interrupting on overflow, and reloading vs. count-continuation on overflow. Counters 0 and 1 together sup- 
port timer interrupts using the inti interrupt line; counters 2 and 3 use int2. 


Thble 1.1: R_Port Register Definitions. 


Register Address 

Contents 

0 

Interrupt Control Register (ICR) reset 

1 

ICR set 

2 

General Control Register (GCR) 

3 

Communication Control Register (CCR) 

4 

Status Register (SR) 

8 

Counter 0 in 

9 

Counter 1 in 

10 

Counter 2 in 
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Table 1 .1 : R_Port Register Definitions. 


Register Address 

Contents 

11 

Counter 3 in 

12 

Counter 0 out 

13 

Counter 1 out 

14 

Counter 2 out 

15 

Counter 3 out 


1. 1.2.3 To the C_Btis 

The upper 2 GB (gigabytes) of the CPU address space is reserved for external memory and input/output 
(I/O). The PIU routes CPU memory accesses at these addresses to the C_Bus. It implements the C_Bus pro- 
tocol, parity encoding and decoding of data, and support for atomic memory operations, byte transfers, and 
2-, 3-, and 4-word block transfers. 

The PIU implements the C_Bus communication protocol. This includes all arbitration actions and nec- 
essary handshaking. 

On writes to the C_Bus the PIU encodes each byte of data using a single-error-detection parity code. 
Data arriving over the C_Bus is likewise decoded. 

Atomic memory operations are supported by the PIU. Once the PIU acquires the C_Bus it doesn t relin- 
quish it until the atomic operation is completed. The PIU again makes use of the CPU lock signal to know 
when to do this. 

Byte transfers and 2-, 3-, and 4-word transfers are handled in a straightforward manner. 

1.13 C_Bus Accesses to Memory 

The PIU controls C_Bus reads and writes to local memory and the PIU register file. All of the support 
features described earlier for the CPU-initiated transfers are supported here as well. The C_Bus (i.e., the 
processing unit of an external block) has priority over the CPU for local memory accesses. The PIU holds 
off the local CPU using the CPU hold_ input signal. The PIU supports block transfers as large as 64 words 
over the C_Bus. 

1.1.4 Timers and Interrupts 

As explained above, the PIU contains two 64-bit counters and an interrupt control register The counters 
can be used to implement timed interrupts as well as a real-time clock. The timed interrupts can be pro- 
grammed to provide either a single-shot interrupt or repeated, periodic interrupts. 

The interrupt register is a memory-mapped register used to implement 16 possible interrupts. These 
interrupts can be initiated by either the active local processor or an external C_Bus master. 

1.2 Specification Overview 

Figure 1.3 shows the specification hierarchy developed for the PIU. In constructing this hierarchy much 
emphasis was placed on maintaining compatibility with existing formal specification methods, particularly 
the generic interpreter theory described in Section 2. The resulting hierarchy reflects this emphasis, partic- 
ularly in the lower levels where many of the techniques described in [Win90] are used. 
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Consistent with established hierarchical specification methods, the levels in the hierarchy of Figure 1.3 
are abstractions of the levels below them. Four types of abstraction are used here. Temporal abstraction 
relates time at a particular level to the time at lower levels; each unit of time at the higher level corresponds 
to multiple time units at the lower level. Data abstraction relates the states of two levels, with the higher 
level state being a function (typically a subset) of the state at the lower level. In behavioral abstraction, a 
structural description at the lower level, defined using the physical interconnection of components or sub- 
systems, is replaced by a purely behavioral description at the higher level. Structural abstraction (or com- 
position) combines subsystems defined at one level to form a higher level. 

At the bottom of the PIU specification hierarchy is the gate-level description. This is a structural 
description derived from the lowest-level detailed design developed by the PIU design team. The chip lay- 
out is obtained directly from this level using silicon compilation techniques that are not within the scope of 
the specification and subsequent verification tasks. Components at the gate level include individual logic 
gates, latches, counters, and finite-state machines. This level is comparable to the electronic block model 
(EBM) level of [Win90], 

The phase-level behavioral description for each of the five PIU ports is a behavioral abstraction of each 
corresponding gate level. This level is comparable to the phase level used in [Win90]. The specification at 
this level consists of an instruction set containing two instructions, one for phase A and one for phase B, 
defining the state transition and outputs generated during each phase. 

The clock-level behavioral description for the PIU ports uses a time interval of an entire clock period 
rattier than a single phase (temporal abstraction), and the state is a subset of the phase-level state (data 
abstraction). Only a single instruction is defined for each port, specifying the state change and outputs of the 
port occurring during its execution. This level is comparable to the microinstruction level of [Win90] and 
elsewhere except that only a subset of the chip design (i.e., a port) is described here rather than the entire 
chip. 



Figure 1.3: PIU Specification Hierarchy. 
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The port-level structure is a structural composition of the five individual clock-level port specifications. 
The port composition is based on the established method of forming a logical conjunction of the individual 
port descriptions. 

The clock-level behavioral description for the PIU is a behavioral abstraction of the structural descrip- 
tion at die PIU port level, providing a clock-level description for the entire chip. This level is comparable to 
the microinstruction level referred to above, an important difference being in the approach to instruction 
decoding: here no decoding is used, resulting in a single instruction compared to the many microinstruc- 
tions in [Win90], for example. 

The transaction-style behavioral description is the topmost level in the PIU hierarchy providing a con- 
cise and easy-to-understand definition of PIU behavior. Whereas the lower five levels of the hierarchy rep- 
resent the PIU design and were developed bottom-up, the transaction level specifies the PIU requirements. 
In this role as human interface the transaction level must address modeling problems not faced at the lower 
levels. 

Three important problems unique to the transaction level are: (1) independently-initiated concurrent 
behavior, (2) multiple sequential outputs, and (3) shared state. Because of these, hardware modeling 
approaches used within the HOL community to date are inadequate for transaction-level modeling. Section 
4 describes these problems in more detail and explains our progress in developing a transaction-level model 
suitable for the PIU. 
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2 Generic Interpreter Theory 

This section describes the generic interpreter theory used to model portions of the PIU. The work 
described in this section grew out of efforts to model microprocessors and thus the model discusses micro- 
processor specification and verification heavily. We have discovered that the model is useful for describing 
other hardware devices as well, and, in particular, we have found it to be well-suited for specifying the PIU 
design. The generic interpreter theory is described more fully in [Win90]. 

2.1 Introduction. 

The formal specification and verification of microprocessors has received much attention. Indeed, sev- 
eral verified microprocessors have been presented in the literature. This section presents an abstract model 
that describes a large class of hardware devices, including microprocessors and other devices with a single 
major control point. The model is called a generic interpreter and the theory contains important theorems 
about it. 

We have formalized the interpreter model in the HOL theorem proving system [Gor88,Gog88]. The for- 
mal model can be instantiated inside the system and serves as a framework for writing device specifications 
and verifying them. This framework clearly states what definitions must be made to specify the device and 
which lemmas must be established to complete the verification. After the user has defined the components 
of the hardware device model and proven the necessary lemmas about them, individual theorems from the 
abstract theory can be instantiated to provide concrete theorems about the actual device being verified. 

The model that we have defined has proven useful in specifying and verifying several microprocessors 
[Win90,Aro90]. The model is not, however, limited to microprocessors only. Recent work has shown that 
the model can be used in specifying other hardware devices as well [Win91]. Because the model was orig- 
inally developed for microprocessor modeling, however, much of the terminology in the model (e.g., 
instruction set) is influenced by microprocessor terminology. We have kept it even though more general ter- 
minology might be better in some cases. 

The model we have defined differs from other formal descriptions of state machines (such as Loewen- 
stein’s model in [Low89]) by including the data and temporal abstractions that are important in specifying 
and verifying microprocessors in the formalization. 

2.2 Formal Microprocessor Modeling. 

There have been numerous efforts to formally model microprocessors. At the time this project was 
begun the best known of these included Jeff Joyce’s Tamarack microprocessor [Joy89], Warren Hunt’s 
FM8501 and FM9001 microprocessors [Hun87, Hun92], and Avra Cohn’s verification of VIPER [Coh88]. 
Tamarack is a simple microprocessor with only 8 instructions. FM8501 is larger (roughly the size of a PDP- 
11), but has not been implemented; FM9001 is a 32-bit version that is being verified and implemented. 
VIPER is the first microprocessor intended for commercial use where formal verification was used. How- 
ever, the verification has not been completed because of the large case explosion that occurred and the size 
of the proofs in each of the cases. Recent work on hierarchical specification (Win88], coupled with the work 
presented here, has overcome this problem; microprocessors significantly more complicated than VIPER 
are now within the realm of formal treatment. 

2.2.1 Microprocessor Specification. 

The specifications for the microprocessors mentioned above appear very different on the surface; in fact, 
the specifications of FM8501 and FM9001 are even in a different language. On closer inspection, however, 


each uses the same implicit behavioral model. In general, the model uses a state transition system to describe 
the microprocessor. A microprocessor specification has four important parts: 

1 . A representation of the state, S. 

2. A set of state transition functions, J, denoting the behavior of the individual instructions of the micro- 
processor. Each of these functions takes the state defined in step (1) as an argument and returns the state 
updated in some meaningful way. 

3. A selection function, N, that selects a function from the set J according to the current state. 

4. A predicate, /, relating the state at time r+1 to the state at time t by means of J and N . 

In some cases, the individual state transition functions, J, and the selection function, N, are combined 
to form one large state transition function. Also, a functional specification would use a function for part (4) 
instead of a predicate. The general form, however, is the same. 

2.2.2 Microprocessor Verification. 

Just as most microprocessor specifications are similar, so too are their verifications. After the micropro- 
cessor has been specified, we can verify that a machine description, M, implements the specification, /, for 
some state, s, by showing: 


Vs e S» (M(s) =>/(s)) 

That is, we show that I has the same effect on the state, s, as M does. This theorem is typically shown by 
case analysis on the instructions in J by establishing the following lemma: 

V(/'€ J) • M (s) => (Vf*C0',5,0 => ( sit + rij ) =y(s(f)))) 
where C is a predicate expressing the conditions for instruction j's selection, s(t) is the state at time t, and n. 

is the number of cycles that it takes to execute j. This lemma says that if an instruction./' is selected, then 
applying; to the current state yields the state that results by letting the implementing interpreter M run for 
/r cycles. We call this lemma the instruction correctness lemma. 

2.3 A Formal Model of Interpreters. 

An interpreter is a computing structure with one control point One of the many available instructions 
is chosen at this control point based on the current state and inputs. The state is then processed by this 
instruction and the cycle begins again. 

In general, a microprocessor specification can consist of many abstraction levels. Every level except the 
bottom specification (which is the structural specification) can be modeled as an interpreter A hierarchical 
approach to specification and verification has been shown to significantly reduce the amount of effort 
required to complete the verification of a microprocessor [Win88]. 

Figure 2.1 shows a generalized hierarchy of interpreters. Note that each communicates with the state 
and environment, although most interpreters see only an abstraction of the state. An interpreter sends 
instructions to the interpreter below it and communicates (mostly timing) information to the interpreter 
above it 

2.3.1 Abstract Theories. 

A theory is a set of types, definitions, constants, axioms and parent theories. Logics are extended by 
defining new theories. An abstract theory is parameterized so that some of the types and constants defined 
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Figure 2.1: A Hierarchy of Interpreters. 


in the theory are undefined inside the theory except for their syntax and a loose algebraic specification of 
their se manti cs. Group theory is an example of an abstract theory. The multiplication operator is undefined 
except for its syntax (a binary operator on type group") and aloose semantics given by the axioms of group 
theory. 

Abstract theories are useful because they provide proofs about abstract structures that can be used to 
reason about specific instances of the structure. In groups, for example, after showing that addition over the 
integers satisfies the axioms of group theory, we can use the theorems from group theory to reason about 

addition on the integers. 

An abstract theory consists of three parts: 

1. An abstract representation of the uninterpreted constants and types in the theory. The abstract repre- 
sentation contains a set of abstract operations and a set of abstract objects. (These are sometimes called 
uninterpreted constants and uninterpreted types.) 

2. A set of theory obligations defining relationships between members of the abstract representation. Inside 
the theory, the obligations represent axiomatic knowledge concerning the abstract representation. Out- 
side the theory, the obligations represent the criteria that a concrete representation must meet if it is to 
be used to instantiate the abstract theory. 

3. A collection of abstract theorems. The theorems are generally based on the theory obligations and can 
stand alone only after the theory obligations have been met 

To instantiate an abstract theory, the concrete representation must meet the syntactic requirements of the 
abstract representation as well as the semantic requirements of the theory obligations. If the syntactic and 
semantic requirements are met, then the instantiation provides a collection of concrete theorems about the 
new representation. 

There are several specification and verification systems that support abstract theories. Some, such as 
OBJ [Gog88] and EHDM [SRI88], offer explicit support. HOL, the verification environment used for the 
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research reported here, does not explicitly support abstract theories; however, HOL’s metalanguage, ML, 
combined with higher-order logic, provides a framework for implementing abstract theories [Win90a] in a 
manner that does not degrade the trustworthiness of the theorem proven 

2.3.2 Temporal Abstraction 

Before we can discuss the formal model, we must describe the temporal abstraction that it uses. The 
development follows that of [Joy89,Mel88,Her88]. 

In general, different levels in the interpreter hierarchy will have different views of time. We use tempo- 
ral abstraction to produce a function that maps time at one level to time at another. Figure 2.2 shows a tem- 
poral abstraction function F. The circles represent clock ticks. The number of clock ticks required at the 
implementing level to produce one clock tick at the implemented level is irregular. 

The predicate, G, is true whenever there is a valid abstraction from die lower level to the upper level. 
We can define a generic temporal abstraction function in terms of G. In a microprocessor specification, G is 
usually a predicate indicating when the lower level interpreter is at die beginning of its cycle — a condition 
that is easy to test. 

We will use a function Temp_Abs as our temporal abstraction function. The function is defined recur- 
sively so that (Temp_Abs g 0) is the first time that the predicate g is true and (Temp_Abs g (n+J)) is the next 
timp! after time n when g is true. We will not develop the details of the temporal abstraction function here, 
but refer the interested reader to the references given above and [Win90]. 

2.3.3 The Abstract Representation 

We specify the abstract representation by defining a list of abstract objects and operations. 'Bible 2.1 
shows the operations and their types. We must emphasize that the representation is abstract and, therefore, 
the objects and operations have no definitions. The descriptions that follow are what we intend for the rep- 
resentation to mean. The representation is purely syntactic, however. 

The following abstract types are used in the representation. 

• : *state represents the state. 

• : *env represents the environment. 


s ? ? ? 
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Figure 2.2: The Temporal Abstraction Functions F and G. 
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Table 2.1: The abstract functions and their types for the generic interpreter model. 


Operation 

Type 

instructions 

*key- > ( *state- > *env- > *state) " 

select 

*state- > *env- > *key " 

output 

*key->(*state->*env-> *out) ” 

substate 

":*state’->*state" 

subenv 

":*env’->*env" 

subout 

":*out’->*out 

Impl 

":(time '-> *state ’)->(time ’-> *env ’)->bool" 

count 

*state > *env '- > *key ’ " 

start 

":*key"' 


• ; *out represents the outputs. 

• ; *key is type containing all of the keys. Keys are used to select instructions. For example, the opcodes 
form the keys in the top-level specification of a microprocessor. 

We add primes to the types to indicate that they represent state, time, etc. at the implementing rather than 
the implemented level of the hierarchy. 

The abstract representation can be broken into two parts. The first contains those operations concerned 
with the interpreter. 

• instructions is the instruction set The set is represented by a function from a key to a state transition 
function. 

• select picks a key based on the present state and environment. 

• output is a set of output functions. The set is represented by a function from a key to a function that pro- 
duces output for a given state and environment. 

• substate is the state abstraction function for the interpreter. The substate function is used to hide the vis- 
ible state in the interpreter. 

• subenv is the environment abstraction. 

• subout is the output abstraction. 

Because we want to prove correctness results about the interpreter, we must have an implementation. 
The second part of the abstract representation contains three functions that provide the necessary abstract 
definitions for the implementation. 

• Impl is the abstract implementation. We could have chosen to make this function more concrete, but do- 
ing so would have required that every implementation have some pre-chosen structure. Thus, we say 
nothing about it except to define its type. 

• count is analogous to select except it operates at the implementing level. 

• start denotes the beginning of the implementation clock cycle. 
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We will ensure that count periodically reaches start as part of the synchronization process. 

2.3.4 The Theory Obligations 

Proving that the implementation implies the interpreter definition is typically done by case analysis on 
the instructions; we show that when the conditions for an instruction’s selection are right, the instruction is 
implied by the implementation. We call this the instruction correctness lemma. 

The predicate INSTRUCTION JCORRECT expresses the conditions that we require in the instruction 
correctness lemma; 1 

\-tef INSTRUCTION JCORRECT gi s' e’ inst = 

(Impl gi s’ e’) ==> 

(!t:time ’. 

let st = (substate gi (s’t)) in 

let et = (subenv gi (e’t)) in 

let ft = (count gi (s’t) (e’t) = (start gi)) in 

let k = (select gi (st) (et)) in 

((inst = (instructions gi k)) A (ft) ==> 

?c. Next f(t,t+c) A (inst (st) (et) = (s(t+c))))) 

INSTRUCTION JCORRECT operates on a single instruction inst. The implementation implies that for 
every time, f, if inst is selected and the implementation’s counter is at the beginning, then there is a time c 
cycles in the future such that applying the instruction to the current state yields the same state change that 
the implementation does in c cycles. 

INSTRUCTIONjCORRECT is a good example of the kind of information that is captured in the generic 
model. Previous microprocessor verifications created this lemma, or one similar to it, in a largely ad hoc 
manner. 

Because our model has outputs as well as inputs (the environment), we must also assume something 
about the output in order to establish correctness. The predicate OUTPUT_CORRECT expresses the condi- 
tions that we require in the output correctness lemma: 

\-def OUTPUT JCORRECT gi s’ e’ p’ k = 

(Impl gi s’ e’ p’) ==> 

(!t:time\ 

let st = (substate gi (s’t)) in 

let et = (subenv gi (e’t)) in 

let pt = (subout gi (p’t)) in 

let ft = (count gi (s’t) (e’t) = (start gi)) in 

((count gi (s’t) (e’t) = (start gi)) A 

(select gi (st (et) = k) ==> 

(pt = (output gi k) (st) (et)))) 


1 . The HOL code in this report is shown using the HOL convention of representing universal quantification, 
existential quantification, implication, conjunction, disjunction, and negation by the symbols !, ?, =>, A, V., 
and -, respectively. The form “el => 62 1 e3” represents “if el then e2 else e3.” 
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Using INSTRUCTION -CORRECT and OUTPUT JCORRECT we can define the theory obligations in our 
model. The theory obligations are given as a predicate on an abstract representation gi: 


\- def Glgi = 

(Is'e’p’k. INSTRUCTION JCORRECT gi s’ e’ p’ k) A 
(Is’e’p'k. OUTPUT JCORRECT gi s’ e’ p’ k) 

The predicate says that every instruction in the instruction set satisfies the predicate INSTRUCTION -COR- 
RECT and every output function satisfies the conditions set forth in OUTPUT -CORRECT. 

2.3.5 Abstract Theorems 

Using the abstract representation and the theory obligations, many useful theorem pertaining to inter- 
preters can be established on the generic structure. 

2.3.5.1 Defining the Interpreter 

One of the important parts of the collection of abstract theorems is the definition of a generic interpreter. 
The definition is based on functions from the abstract representation. 

\- 4 efINTERP gi s e p = 

!t:time. 

let k = (select gi (st) (et)) in 
(s(t+I) = (instructions gi k) (st) (et)) A 
(pt = ( output gi k (st) (et)) 

The specification of an interpreter is a predicate relating the contents of the state stream at time r+1 to the 
contents of the state stream at time t. The relationship is defined using the functions from the abstract rep- 
resentation. The definition also uses the currently selected output function to denote the current output. 

2.3.5.2 Induction on Interpreters 

The definition of the interpreter sets up a relation between the state at t and r+1. Sometimes it is useful 
to have a more explicit statement regarding induction. The following theorem, which follows from the def- 
inition of the interpreter given in Section 2.3.5. 1, defines induction on an interpreter: 

I -!Q. INTERP gi s e p ==> 

(Q (sO) A 

It. let inst = (instructions gi (select gi (st) (et)) in 
Q (st) ==> Q (inst (st) (et))))==> 

It. Q (st) 

The theorem states that for any arbitrary predicate on states, Q, if Q is true of the state at time 0, and when 
q i s true of the state at time f, it follows that it’s also true of the state returned by the current instruction, 
then Q is true of every state. 

We note that even though this theorem looks fairly simple, and indeed is quite easy to show in the 
generic theory, the theorem will eventually be instantiated with the entire denotational description of the 
semantics of a particular instruction set and will be quite involved. The same admonition holds for each of 
the theorems and definitions presented in this section. 
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2.3.5.3 The Implementation is Live 

Using the theory obligations, we can prove that the implementation is live. By live we mean that if the 
implementation starts at the beginning of its cycle, then there is a time in the future when the implementation 
will be at the beginning of its cycle again. That is, we show that the device will not go into an infinite loop. 

I- Impl gi s’ e’ ==> 

(It (count gi (s’t) (e’t) = start gi -=> 

(? n. Next (V. count gi (s’t) (e’t) = start gi) (t, t+n))) 

Next P (tl, t2) says that t2 is the next time after tl when P is true. 

2.3.5.4 The Correctness Statement 

The correctness result can be proven from the definition of the interpreter and the theory obligations: 

I- let st = (substate gi (s’t)) and 
et = (subenv gi (e’t)) and 
pt = (subout gi (p’t)) and 
ft = (count gi (s’t) (e’t) = (start gi)) in 
let abs = (Temp_ABSf) in 
(Impl gi s’ e’ p’) A 
(?t. ft) ==> 

(INTERP gi) (s o abs) (e o abs) (p o abs) 

In the correctness statement, s’, e’, and p’ are the state, environment, and output streams in the imple- 
mentation. The terms (s o abs), (e o abs), and (e o abs) are the state, environment, and output streams for 
the interpreter defined in the model. They are data and temporal abstractions of s’, e ’, andp ’. The correctness 
statement says that if the implementation is valid on its state, environment, and output streams and there is 
a time when the implementing clock is at the beginning of its cycle, then the interpreter is valid on its state 
and environment streams. 
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2.3.5.5 Composing Interpreters Hierarchically 

In [Win88], we show that hierarchical decomposition makes the verification of large microprocessors 
practical. To support this decomposition, the generic interpreter model contains a theorem about composing 
generic interpreters hierarchically. 

\-(INTERP gi 1 = Impl gi 2) A 
(select gi 1 = count gi 2) ==> 

/ (s ”:time-> *state ”) (e ” :time - > *env”)(p’’:time-> *out ”) . 
let s’t = (substate gi 1 (s”t)) and 
e’t =(subenv gi 1 (e’’t)) and 
p’t = ( subout gi 1 (p"t)) and 
ft = ( count gi 1 (s"t) (e’’t) = start gi 1) in 
let st = (substate gi 2 (s’t)) and 
et = (subenv gi 2 (e’t)) and 
pt = (subout gi 2 (p’t)) and 
gt = (select gi 1 (s’t) (e’t) = start gi 2) in 
let absl = (Temp_ABS J) in 
let abs2 = absl o (Temp_ABS (g o absl)) in 
(Impl gi 1 s’’ e” p”) A 
(?t. ft) ==> 

(?t. (g o absl) t) ==> 

INTERP gi 2 (s o abs2) (e o abs2) (p o abs2) 

This theorem states that if gi 1 and gi 2 are generic interpreters and they are connected such that the inter- 
preter definition of gi 7 is the implementation of gi 2 then the implementation of gi 1 implies the interpret- 
er definition of gi 2. 

This impor tan t theorem captures the temporal and data abstraction required to compose two interpreters. 
This theorem is a good example of the utility of abstract theories in hardware verification. This theorem is 
tedious to prove and were it not contained in the abstract theory, it would have to be proven numerous times 
in the course of a single microprocessor verification. 

2.4 Parallel Composition 

Our eventual goal is to use the work that is described in Section 4 to show how a set of interpreters can 
be composed with each other in parallel. This goal is significantiy different from the theorem described in 
Section 2.3.5.5. In hierarchical composition, the implementation of one interpreter model is the interpreter 
from the other. In parallel composition, the two interpreters share a behavioral specification (i.e., interpreter 
definition), and the implementation is two or more interpreters linked together. The interpreters can be 
linked by shared state, common input, common output, and connections between the interpreters’ inputs and 
outputs. 

Undoubtedly, as our theory of composition matures, the generic interpreter theory will change. The 
advantage of generic theories is that these changes can be made more easily in the generic theory than they 
can in a specific definition of a VLSI device. 

2.5 Conclusion 

This section has described the generic interpreter model. The theory isolates the temporal and data 
abstractions of the proof inside the abstract theory. The theory also contains several important theorems 
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about the abstract representation. These theorems are true of every instantiation of the abstract representa- 
tion that meets the theory obligations. 

The theory has many important benefits: 

• The generic model structures the proof by stating explicitly which definitions must be made (one for each 
of the members of the abstract representation) and which lemmas need to be proven about these defini- 
tions (namely, the theory obligation). This is a substantial improvement over previous microprocessor 
verifications where these decisions were made on an ad hoc basis. 

• The generic model insulates users of the model from complex proofs about the data and temporal ab- 
stractions. These proofs are done once and then made available to the user by instantiation. 

• The use of a generic interpreter model for specifying and verifying microprocessors provides a method- 
ological approach. Making specification and verification methodological is an important step in turning 
what has been primarily a research activity into an engineering activity. 
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3 Design Specification 

This section describes the lower five levels of the PIU specification hierarchy (Figure 1.3), which con- 
stitute the design specification. The discussion proceeds bottom-up, beginning with the gate-level specifi- 
cation of individual ports and finishing up with the clock-level specification for the entire PIU. 

The gate-level specification, described in Section 3.1, corresponds to the lowest-level design imple- 
mented by the PIU design team. Below this level a silicon compiler provides the translation to the mask lay- 
out used for chip fabrication. The specification effort described in this report is not concerned with this 
translation, which currently falls within the domain of the tool vendor — Mentor Graphics Corporation. 

A set of detailed-design schematics was produced by the design team as part of the design process. 
Unfortunately they are not suitable for this report because, in printed form, many are too small to be under- 
stood. Because of thi s we created our own set of schematics, included in Section 3 . 1 , to accompany the HOL 
specifications located within the appendices. These schematics are provided as aids to understanding only, 
since, due to time constraints in developing them, they are not complete nor are they fully accurate. 

Sections 3.2 through 3.5 describe, in order, the phase-level specifications for the five ports, the clock- 
level specifications for the five ports, the port-level structural specification, and the clock-level specification 
for the entire PIU. 

3.1 Gate-Level Structure 

The gate-level specifications for the five PIU ports use the structural definition style described in 
[Gor86] and in use throughout the HOL community. Within each port, each component, or block, has its 
behavior specified in the form of a predicate; in essence, the block behavior is defined to be the relationship 
between inputs, outputs, and internal states that results in the predicate’s being true. The behavior of the 
composition of these blocks is defined as the logical conjunction of the individual block predicates. Exis- 
tentially quantified variables are used for the block interconnections internal to the port-level composition. 

The gate-level specification for the PIU is much too unwieldy for a detailed coverage in these pages. 
This section therefore provides only a high-level explanation of the PIU’s operation and the HOL models 
that represent it. References will be made to the appropriate sections of the appendices for the full details. 

We begin in Section 3.1.1 with a description of the components used in the PIU design. Fortunately, the 
design uses only a small subset of the component types available in the silicon compiler library, ranging in 
complexity from individual logic gates to medium-scale integration (MSI) datapath elements and finite-state 
machines. Section 3.1.2 explains how the components are combined to form the five PIU ports. 

3.1.1 Component Descriptions 

The HOL models for elementary logic gates follow closely the previous work in this area and we say 
tittle about this subject. Modeling sequential logic is more interesting however Previous sequential models 
generally depict even the most elementary components as edge-sensitive devices — a flip-flop perspective. 
However, in the design tool used for the PIU, the elementary sequential component is not edge-sensitive, 
but rather the level-sensitive latch. Flip-flops are higher order components, consisting of two or more 
latches. As explained below, the level-sensitive components used in the PIU require a different modeling 
approach. 

3.1.1.1 Combinational Logic 

The PIU specification requires only a few inverters, AND and OR gates, and buffers from the compo- 
nent library. The specification style used for these components follows that of earlier work and is demon- 
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strated in the AND -gate definition shown here. The theory gates jdef in Appendix A contains the complete 
HOL source for these components. 


I- AND3_SPEC a b c z = V t.time . zt = (at)A(bt)A(ct) 


3.1. 1.2 Latches 

The HOL definitions for the latches used in the PIU design are contained in the theory latches_def\n 
Appendix A. In this section we describe the modeling of a simple D latch as an explanation of the HOL 
models. 

The following definition of a D latch demonstrates the specification style that we use for PIU latches. 
This specification states that the next state q_state (t+1) equals the input djn t if the clock clkjn t is active, 
otherwise it equals its current value qjstate t. The latch output q_out t equals the new state. 


I- DLAT_SPEC djn clk_in q_state q_out = 

V t. time . 

(qjstate (t+1) = (clkjn t) -> djn 1 1 q_state t) A 
(q_out t = qjstate (t+1)) 


Latch behavior is being expressed here as a finite-state machine (FSM), using both a next-state function 
and an output function. Previous latch models in HOL, where the next-state function was also used for out- 
puts, failed to faithfully represent true latch behavior. To demonstrate why this is true, Figure 3.1(a) shows 
an example circuit where two latches, in series, are clocked with the same phase of the system clock, lb our 
knowledge, scenarios such as this have not been considered in prior verification work; however, we cannot 
dismiss them since they occur within the PIU design. Actually, such combinations might be expected in any 
standard-cell approach to chip design where designers work with predefined cells containing a multitude of 
latches in fixed locations. There are places in the PIU design, for example, where avoiding these combina- 
tions would actually require a more complicated design. 

The circuit in Figure 3.1(a) would be incorrectly modeled if latch models containing only the next-state 
function of DLAT_SPEC were used. This is demonstrated in the HOL code segments of Figure 3.1(b), defin- 
ing first the behavior of the implementation, including the next state of latch 12 derived from this behavior, 
followed by a reasonable specification for its required behavior. 

The behavior of the implementation (IMP) is a standard composition of individual latch behaviors. The 
key observation here is that the value of z at time t+1 depends on signal values at time t-1 (e.g., a (t-1)). 
However, as expressed in the model of required behavior (REQ), in reality the circuit of Figure 3. 1 (a), when 
viewing the signal z, behaves no differently than a single A-clocked latch does (aside from propagation 
delay differences not expressed at this level). Therefore, the value of z (t+1) should be a function of signal 
values at time t, not t-1. Note that for the general case of N series, same-phase latches, we would have z (t+1) 
as a function of signals at time (t-N-1); clearly this is not what we want We note that the source of this prob- 
lem is the level-sensitive nature of latches, which results in cascaded latches behaving very much like com- 
binational logic; this is not true of edge-sensitive components such as flip-flops. 

Revisiting fundamental FSM definitions suggests ways to solve this latch modeling problem. In autom- 
ata theory texts, such as [Koh78], the next-state and present-output of an FSM are said to be functions of 
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(a) Block diagram. 

IMP = (b(t+I) = phase_At=> at\bt) A 

(z(t+l) = phase_A t => b 1 1 z t) 

I (derived) 

z(t+l) = phase _A t => 

(phase_A ( t-1 ) => a (t-1) I b (t-1)) I 

zt 

REQ = (b(t+l) = phase _A t=> at\bt) A 

(z (t+1) = phase_A t=> at I zt) 

(b) Relationship between next z and current values, using standard latch model. 


Figure 3.1: Two Series Latches Clocked by the Same Phase. 

the present-state and present-inputs. Figure 3.2(a) is a pictoral representation of this where the present and 
next times are denoted by t and t+1, respectively. Figure 3.2(b) shows an alternative approach where the 
inputs and outputs use the time index of the next-state. 

In models of synchronous systems such as FSMs, lower-level issues such as propagation delay are not 
represented. For a latch, whose time interval is a single clock phase, the present- and next-states correspond 
to the states at exactly the beginning and end of die phase, respectively. All present-inputs can similarly be 
assumed to arrive at either the phase beginning or end. Present-outputs are defined in terms of the present- 
state and -inputs, and are assumed to be transmitted with zero delay. Of course, in reality an input is a 
present-input only if it satisfies the setup and hold times of the latch with respect to the falling edge (the end) 
of the clock phase; state changes and output transmissions have propagation delay as well. 

With this view of FSM behavior, it is clear that for a formal latch model to be composable in all clocking 
scenarios it must use the same time index for both its present-inputs and -outputs. This is necessary to permit 
signal propagation through series-connected, same-phase latches in zero time. In a latch model using only 
a single FSM next-state function, this function must play the role of the output function as well; thus, the 
time index of the current-output is t+I. If the standard interval representation of Figure 3 .2(a) is used, then 
the input and output time indexes don’t match, resulting in the problem explained above. TWo obvious solu- 
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Figure 3.2: Interval Representations. 

tions are to either use the alternative interval representation of Figure 3.2(b) or else use a second FSM func- 
tion for the output, matching its time index to that of the input. 

We mention the first solution, using the alternative interval representation, only to point it out as a can- 
didate for future consideration. We currently prefer the second approach, expressed in the model 
DLAT_SPEC above, since it is consistent with the generic interpreter model described in Section 2. 

3.1. 1.3 Flip-Flops 

HOL definitions for the flip-flops used in the PIU design are contained in the theory ffs_def of Appendix 
A. In this section we describe the modeling of a simple D flip-flop as an explanation of the HOL models. 

Flip-flops are built out of latches as in the example phase- A-clocked D flip-flop shown in Figure 3.3. In 
this model inputs arriving at the flip-flop during phase B are latched on the falling edge of B. The new flip- 
flop output is available at the beginning of phase A and remains stable for an entire clock period. From an 
edge-triggered point of view this flip-flop is seen to be clocked on tire rising edge of phase A. 

It is an interesting side note that in discussions with the PIU designers it became clear that their view of 
flip-flop behavior is somewhat different from the perspective that we employ. For example, if asked to 
choose which of the two latches in the flip-flop model of Figure 3.3 represents the true state of die flip-flop, 
the designers say latch L2 and we say LI. This difference is easy to understand given the modeling environ- 
ments that each group uses, and it turns out that the FSM-based specification approach embodied in Figure 
3.3(b) provides a perspective to help reconcile these two viewpoints. 

The PIU designers view latch L2 as the important one because it is the only one directly visible to them 
during simulation. All flip-flop changes occur on the rising edge of L2’s clock (phase A) and the flip-flop is 
stable otherwise. From this perspective the purpose of latch LI is only to ensure the edge-triggered nature 
of the flip-flop by restricting possible flip-flop output values to those inputs arriving before phase A rises. 

As formal verifiers we view LI as the important latch because it is clocked by phase B, the last phase in 
the clock cycle. This is important when we make the jump in abstraction from the phase level to the clock 
level and wish to eliminate one of the two state variables associated with these latches (data abstraction). As 
a general rule it is best to keep the latch with the most up-to-date state among the candidates for elimination, 
otherwise updated state will not be carried forward to the next clock cycle when the model is symbolically 
executed. From this perspective latch LI contains the essential state of the flip-flop of Figure 3.3 and 12 
serves only to control the time at which the new flip-flop state is made externally visible. 

At the clock level of abstraction we model the state of a flip-flop as the contents of its phase-B latch and 
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(b) HOL representation. 


Figure 3 3: Example D Flip-Flop Constructed With Latches. 

embed the behavior of the phase- A latch within the flip-flop output. This FSM-based approach is also com- 
patible with the PIU designer perspective if we take a commonly-used black box view of fundamental com- 
ponents such as flip-flops. In such an approach, only the inputs and outputs of these components are visible 
to an outside observer during simulation — the internal state is hidden. 

3.1.1.4 Counters 

Counters are implemented as flip-flops surrounded by increment/decrement and selection logic. All of 
the counters used in the PIU design are functionally of the form of the example in Figure 3.4 — increment- 
ing is performed within the output stage rather than the input stage. The HOL source for all PIU counters is 
contained in the theory counters_def of Appendix A. 

The inputs Idjn and upjn control the operation of this counter. If Idjrt is active then the input djn is 
loaded into the counter, otherwise the current value, incremented or nonincremented according to the upjn 
input, is reloaded. The input up_in also controls the value output by the counter. 

3.1.1.5 CTR Datapath Block 

The PIU R_Port contains two 64-bit counters implemented using a total of four 32-bit CTR datapath 
blocks. The CTR datapath blocks are themselves built from lower-level components of the compiler library, 
but we treat them as primitives here since they are used directly in the R_Port specification. The HOL source 
for the CTR datapath block is contained in the theory datapaths_def of Appendix A. 

Figure 3.5 shows the functionality of the CTR datapath block. It behaves much like the counter of the 
previous section, but with additional features such as provisions for carry-in and carry-out and multiple out- 
put ports. 
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Of the 1 1 latches in this model, the one best representing the counter value is LA, holding the value ctr. 
Latch L2 contains the load-input, controlling whether a new value is loaded or the updated counter value is 
reloaded. Latches LI and L8 hold these two values, respectively. Latches L5mdL6 hold values controlling 
the incrementer itself. For the top half of the 64-bit counters, L6 contains the carry-in from the lower half. 
Latch L7holds the carry-out from the counter. Latches L9 and L10 implement a flip-flop holding the updated 
counter value for possible output. The two latches L3 and LU control the writing of latch values onto Bus_A, 
from the input side and output side, respectively. 

3.1.1.6 ICR Datapath Block 

The R_Port contains a single Interrupt Control Register (ICR) implementing memory-mapped inter- 
rupts for the local processor. The HOL source for this block is located in the theory datapaths _def of Appen- 
dix A. 

Figure 3.6 shows a functional block diagram of this block. The true ICR value is located in the flip-flop 
implemented by latches LA and L5. The flip-flop implemented by LI and L2 holds the ICR value fed back 
using Bus_A. Latch L3 holds a mask-adjustment value that resets or sets individual mask bits according to 
the value of input icr_select. Latch L6 controls the writing of values onto Bus_A either as part of an ICR 
read by an external processor or the feedback mentioned above. 



Figure 3.6: Functional Block Diagram of the ICR Datapath Block. 
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3.1.1.7 CR Datapath Block 


The R_Port contains two control registers (CRs), called GCR (for General Control Register) and CCR 
(for Communications Control Register). The HOL source for the CR datapath block is located in the theory 
datapaths_def of Appendix A. 

Figure 3.7 shows a functional block diagram of the CR datapath block. In comparison with the previous 
two datapath blocks, this one is relatively simple, containing a single latch (LI) to hold a loaded 32-bit value 
and a latch (L2) to control the writing of this value onto Bus_A. The second output port, always enabled, 
provides the CR bits to the PIU subsystems controlled by the control register. 



Figure 3.7: Functional Block Diagram of the CR Datapath Block. 


3.1.1.8 SR Datapath Block 

The R_Port contains a single Status Register (SR) that may be read by an external processor The HOL 
source for the SR datapath block is located with the previous datapath blocks in the theory datapathsjief of 
Appendix A. 

Figures 3.8 shows a functional block diagram of this datapath block. Inputs provided by several sub- 
systems of the PIU are collected and stored in latch Ll \ latch 12 controls the writing onto Bus_A. 

3.1.1.9 Finite-State Machines 

Finite-state machine (FSM) modules are used in every PIU port to control the sequencing of port oper- 
ations. Each FSM module has the structure shown in Figure 3.9. FSM inputs are loaded during phase B, as 
is the fed back present-state. Combinational logic implements the next-state and output functions, whose 
results are loaded into the output latches during phase A for transmission to the external system. 
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Figure 3.8: Functional Block Diagram for the SR Datapath Block. 


3 .1.2 Block Diagram Descriptions 

To simplify the PIU specification task, we augmented the set of compiler-library components just 
described with several logic-blocks built of more-primitive components. TWo guidelines were followed in 
constructing these superblocks. First, instances of multilevel logic were converted into equivalent behav- 
ioral descriptions. Secondly, memory elements holding multibit words were sometimes grouped into single 
blocks to facilitate modeling with our array-access functions. Together, these steps greatly decreased the 
number of components in the gate-level description of the PIU with a risk of introducing modeling error that 
we consider to be low. 


state 



phase_B phase_A 


Figure 3.9: Functional Block Diagram for Finite-State Machines. 
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Creating superblocks also has the beneficial side effect of simplifying our description of the five PIU 
ports. Even so, the complexity of the resulting specification remains formidable and a fully-detatiled pic- 
toral description of the PIU structure is beyond the scope of this report The HOL descriptions in Appendix 
B should be considered the gate-level specification for the live PIU ports; the descriptions in this section are 
intended only to provide insight so that the HOL is more easily understood. Although considerable care has 
gone into the construction of these descriptions, they are not complete and contain minor inaccuracies as 
well. 

The ports are described in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont, in the following 
five subsections. 

3. 1.2.1 P_Port Structure 

The top-level block diagram of the P_Port, shown in Figure 3.10, describes the partitioning of the 
P_Port into two subblocks: datapath and controller. These are further broken down in the two figures that 
follow Figure 3.10. 



Figure 3.10: P_Port Top-Level Block Diagram. 

The P_Port Datapath, shown in Figure 3.11, consists mainly of latches to hold L_Bus-sourced informa- 
tion and tristate buffers for driving the L_Bus and I_Bus. Read from top to bottom, the latch contents 
are: 32-bit data, the 26 least significant address bits, the most significant address bit, the 4-bit byte enables, 
and tiie write/read bit, all sourced by the local processor. All control signals are provided by the P_Port Con- 
troller. 

The P_Port Controller is shown in Figure 3.12. The FSM block implements the I_Bus protocol and sup- 
ports atomic memory accesses by the local processor. The other blocks support the FSM by encoding infor- 
mation received from the two adjacent buses and by handling some of the control-signal generation. 

The Reqjnputs block implements the setting and resetting of the P_rqt latch, based on new-transaction 
requests and transaction-completed messages received from the L_Bus and I_Bus, respectively. An active 
high Pjrqt indicates a pending or in-progress L_Bus transaction. 

The CtrJLogic block keeps track of the number of words remaining in the current transaction so that the 
slave port can be notified when the last word is being accessed. 
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Figure 3.11: Block Diagram of P_Port Datapath. 


The Lockjnputs block and associated latches provide support for handling atomic operations. The 
P_lock_ latch holds the most recent valid lock signal provided by the local processor. The FSM implements 
memory locking by locking the I_Bus. 

3.1.2.2 M_Port Structure 

The top-level structure of the M_Port is shown in Figure 3. 13. It has the same form as the P_Port, con- 
taining a single datapath block and a single controller block. These are described further in the two figures 
following Figure 3.13. 

Figure 3.14 shows the structure of the M_Port datapath. On the left is the interface to the M_Bus. The 
EDAC_Decode_Logic block performs a Hamming decode on the 56-bit data received from the M_Bus, 
while the Enc_Out_Logic block encodes 32-bit data for writing onto the M_Bus. 

The Read_Latches block stores the 32 -bit decoded data word read from memory. The Mux_Out_Logic 
block selects bytes from this stored value or else the word currently on the I_Bus for writing onto the 
M_Bus. The stored bytes are written back as part of a read-modify-write implementation of byte- write oper- 
ations. 
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(to/from M_Port Controller) 



Figure 3.14: Block Diagram of the M_Port Datapath. 


The M_Port controller is shown in Figure 3.15. The left side of the figure is the I_Bus interface. The 
SEJLogic block determines whether a memory access is to SRAM memory or to EEPROM memory, based 
on the memory address. It drives the appropriate chip-select signal based on this determination. 

The WR_Logic block determines whether a memory access is a read or write and provides this informa- 
tion to the rest of the M_Port. The AddrjCtr block and BE_Logic block store the memory address and byte 
enables, respectively, for the word being accessed. 

The Rdy_Logic, Ctr_Logic, and SrdyJLogic blocks together implement most of the I_Bus protocol for 
the M_Port, which consists mainly of controlling the value of the I_srdy_ signal transmitted back to the 
I_Bus master. The 2-bit counter in Ctr_Logic implements variable wait-states for the SRAM and EEPROM 
memory. 

The FSM block provides high-level control of the memory interface. It sequences through a series of 
states, depending on the type of memory transaction, and provides output signals mainly used by the Ena- 
ble _Logic block to implement the control of the M_Port datapath. The FSM also directly controls bus 
enabling for the I_Bus. 

The Memparity_In_Logic block and its associated latch store the error status for memory accesses. The 
output MB _parity is transmitted to the R_Port where it is stored in the Status Register. 
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Figure 3.15: Block Diagram of the M_Port Controller. 


3. 1.2.3 R_Port Structure 

The R_Port top-level block diagram is shown in Figure 3.16. Of the five major blocks shown there three 
are described further in the figures that follow Figure 3. 16. The Register File block is not broken down fur- 
ther since it consists entirely of the datapath blocks described in Sections 3. 1.1. 5 through 3. 1.1. 8. There are 
four CTR blocks implementing two 64-bit counters, one ICR block, two CR blocks implementing the GCR 
and CCR, and one SR block. 

The Bus Interface block represents the multiple tristate buffers that potentially drive the Bus_A node of 
the R_Port This block is similar to the approach used to model buses described in [Joy90]. 

The Register File Controller is shown in Figure 3.17. The Wr_Lat block determines whether a register 
access is a read or write and provides this information to the rest of the R_Port. The FSM block is a simple 
3-state state machine providing high-level control of the register accesses and I_Bus interface. The RW_Sigs 
block encodes the FSM output to implement this control. 

The Reg_Sel_Ctr block contains a 4-bit counter holding the register number for the current access. The 
R_srdy_del_ latch value is used to increment the counter on multiword accesses. The Reg_File_Ctl block 
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Figure 3.16: R_Port Top-Level Block Diagram 

decodes the register address to create most of the control signals needed by the register file. 

The Timer Interrupt Block is shown in Figure 3.18. It consists of two identical sub-blocks, each imple- 
menting the interrupt logic for one of the two 64-bit counters. 

The latches R_c01_cout and R_c23_cout hold the carry-out values of the two counters. The Ctr_Int_- 
Logic blocks use this information and several bits of the GCR to determine whether the timer interrupts 
should be enabled or not The two interrupt outputs, Inti and Int2, are active-high signals sent to the local 
processor. 



Figure 3.17: Block Diagram of Register File Controller. 
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Figure 3.19 shows the structure of the Register Interrupt Block. The And_Tree block receives the 32-bit 
ICR value, consisting of 16 interrupt-set bits and 16 mask bits. Half of these bits are dedicated to interrupt 
IntO_ and half to Int3_. If an interrupt-set bit and its associated mask bit are simultaneously active-high, then 
the appropriate latch, RJntOjen or R_int3_en, is loaded with a logic-1. 
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Figure 3.19: Block Diagram of the Register Interrupt Block. 


3.1.2.4 C_Port Structure 

The C_Port top-level structure is shown in figure 3.20, minus the complicated external interfaces. The 
C_Port controller is divided into two subunits because of its large size. Because we could not identify a log- 
ical partitioning, we simply divided the existing schematic down the center, creating a left half and a right 
half, controllers A and B, respectively. 

figure 3.21 shows the C_Port datapath block diagram. The right side of the figure shows the interface 


34 






Figure 3.20: C_Port Top-Level Block Diagram. 


(to C_Port Controller) (to/from I_Bus) cm 



CB _parity 


(to/from C_Bus) 


Figure 3.21: Block Diagram of the C_Port Datapath. 
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between the I_Bus and the C_Bus. The Parity JDecodeJLogic block decodes the 1 8-bit parity-encoded data 
received from the C_Bus data lines. It outputs 16-bit data and a single-bit error-detection flag. 

The CBJn_Latches block stores the messages received from the C_Bus. This information consists of 
transaction header information, address, and data. The BE_Out_Logic block outputs the byte enables onto 
the I_Bus. The CB_Out_Logic block parity-encodes data for transmission onto the C_Bus. 

On the left side of the figure, the Grant_Logic block implements the C_Bus arbitration. The 
Addressed_Logic block determines whether this PIU is being addressed by the C_Bus master. The 
D_Writes_Logic block determines whether this PIU is an active channel or not; if not then it prohibits mem- 
ory accesses using the Disable _writes output. The Parity _Signal_Inputs block controls the setting and reset- 
ting of the C _parity latch, whose output, CB_parity, is transmitted to the R_Port SR. 

Part (A) of the C_Port controller is shown in Figure 3.22. The two state machines: Master FSM and 
Slave FSM, implement the C_Bus protocol from the master and slave perspectives, respectively. The Srdy 
FSM controls the enabling of I_Bus slave signals transmitted by the C_Port. 

The LastJLogic block and the latches holding C_lock_in_ and C_last_in_ preprocess the I_lock_ and 
I_last_ I_Bus signals received from the P_Port. The Hold_Logic block and the latches holding C_last_out_ 
and C_hold_ process the I_last_ and I_hold_ signals transmitted over the I_Bus. The Cout_Sel_Logic block 
determines which 16-bit word is to be transmitted over the C_Bus and provides selection signals to the data- 
path to control this. 
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Figure 3.23 shows part (B) of the C_Port controller. The DPjCtls PLA block converts output signals 
from both the master and slave state machines of part (A) into control signals for the datapath. The latches 
at the output of this block, as well as the Cout_l _Le_Logic block, provide further processing for the datap- 
ath, primarily to control the enabling of the datapath latches. 

The CBss_Out_Logic block and the CBmsjOutJLogic block determine the master-status and slave- sta- 
tus, respectively, for C_Bus transactions. The Srdy_ln_Logic block decodes the slave-status input from the 
C_Bus to determine whether the slave is ready for the next transaction. 

The Rdy_Logic block, the ISrdy_Out_Logic block, and intervening latches implement the generation 
and transmission of the I_srdy_ signal to the I_Bus. The Iad_En_Logic block controls the enabling for 

address and data transmissions over the I_Bus. 

The Pe_Cnt_Logic block controls the enabling of parity-error counting within the datapath. 



Figure 3.23: Block Diagram of the C_Port Controller (Part B). 
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3.1.2.5 SU_Cont Structure 


The SU_Cont structure is divided into the two subsections shown in figures 3.24 and 3.25. The first 
figure shows mainly the blocks that interact with the other ports within the PIU, while the second shows 
mainly those that interface with the local processor. 

The FSM block in figure 3.24 controls the initialization process. It sequences through states that suc- 
cessively reset and test CPUO, reset and test CPU1, then select and initialize the active mission processor. 
It uses the output of the 18-bit counter block, via the Muxes block, to control its time duration in many of 
its states. The Delay Jn block processes the input signals for the counter block. 

The Dis_Int_Out block determines and then transmits reset signals and various disable signals to the 
other ports. 

The blocks Scntjn, Scntjnl, the 3-bit counter block, and the intervening latches support the software- 
based acceptance test of each processor. The output S_Soft_Cnt contains the number of instances that the 
local processor writes a specific pattern to the General Control Register in the R_Port. If not equal to a spe- 
cific bit pattern, this counter value indicates a failed acceptance test 



Figure 324: Block Diagram of the Startup Controller PlU-Port Interface. 
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Figure 3.25 shows the SU_Cont blocks that interact mainly with the local processor. The Cpu_Ok block 
and the Failjn block together control the loading of four latches holding failure-status information. The 
CpujOk block uses the S_Soft_Cnt signal just discussed and the Failure_ signals from the local processors. 
The latch outputs are transmitted to the R_Port where they are stored in the Status Register. 

The Bad_Cpu_In block controls the loading of two latches holding processed failure status of the two 
local processors. These latch outputs are used, together with FSM block outputs, in the misc logic block to 
control the loading of two other latches. These latch outputs are used to maintain the local processors in a 
reset or nonreset state, as appropriate. 

3.2 Port Phase-Level Behavior 

The phase-level specification for each PIU port is a behavioral abstraction of the corresponding gate- 
level structure. Each port is defined in terms of a 2-instruction instruction set, corresponding to the behavior 
occurring during each of the two clock phases. Each instruction is itself represented using two functions, 
defining the next-state transition and the output. Consistent with the generic interpreter model, the states and 
outputs for the ports are represented as n-tuples. 


(to/from PlU-Port Interface Block ) (to/from CPU) 



(to PIU ports) 


Figure 3.25: Block Diagram of the Startup Controller CPU Interface. 
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Appendix C contains the HOL phase-level specification. The ports are presented in the order: P Port, 
M Port, R Port, C Port, and SU.Cont, in Sections C.l through C.5, respectively. Within each section the 
next-state function for phase A is presented first, followed by the output function for phase A, and the next- 
state and output functions for phase B. 

3.3 Port Clock-Level Behavior 

The clock-level specification for each PIU port is both a temporal abstraction and a data abstraction of 
the corresponding phase-level specification. Here the unit of time is an entire 2-phase clock period, rather 
than a single phase. Data abstraction is achieved by eliminating state variables representing certain latch val- 
ues. Usually the eliminated latches are part of edge-triggered devices, such as flip-flops and counters, and 
are clocked on phase A. 

In contrast to the phase level, where the choice of instruction set is dictated by the number of clock 
phases, the choice at the clock level is much more subjective. For example, only a single instruction is really 
necessary to capture the behavior of the ports. This would provide the most concise description of behavior 
at the cost of providing the least understandable description. At the opposite extreme, the ports could be 
specified using an instruction set with millions of very simple and easy-to-understand instructions. How- 
ever, verifying such a large instruction set would be infeasible, as would the mere goal of trying to print their 
descriptions. 

Instruction sets provide the human interface to state-transition system behavior Their existence implies 
an instruction selection capability such as that provided by the select function of the generic interpreter 
model. Often this functionality is referred to as instruction decoding, and the proper choice of this function 
(i.e., of the instruction set itself) is important for any specification attempting to provide a human-under- 
standable yet concise description of behavior. 

By their very nature, microprocessor instruction sets at the macro and microcode levels must be 
straightforward to specify since they provide the programming interface for the microprocessor However, 
since the PIU was never intended to be programmed, nor is it microcoded, (clock-level) instruction set ele- 
gance received little consideration from the PIU design team. As a result, a clock-level instruction set for 
each port in which each instruction specifies a single well-defined action would require many tens of indi- 
vidual port-level instructions. The composition of these port-level instructions would require many tens or 
hundreds of PlU-level instructions, requiring many thousands of pages to even print; verifying these instruc- 
tions would be an enormous undertaking. 

Based on these considerations, we have abandoned our earlier efforts to define human-friendly instruc- 
tion sets at the clock level. Instead we have opted for practicality and we specify clock-level behavior using 
a single instruction for each port Each port instruction has two parts — a next-state function and an output 
function, defining the next state and output under all operating conditions. Sections D.l through D.5 of 
Appendix D contain the HOL specification for this level. 

3.4 PIU Port-Level Structure 

The PIU port-level structure is a structural composition of the five clock-level port specifications. We 
have used the standard approach to structural composition in which component-defining predicates are log- 
ically ANDed to form the composite behavior. Existentially-quantified variables are used for component 
outputs remaining internal to the composed system. Appendix E contains the HOL specification for this 
level. 
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3.5 PIU Clock-Level Behavior 

Appendix F contains the HOL specification for the PIU clock-level behavior. As with the individual 
ports, the clock-level behavior of the entire PIU is represented using only a single instruction consisting of 
a next-state function and an output fiinctioa 
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4 Models for Transaction Specification 

This section describes the work undertaken to determine the most appropriate model for specifying the 
top level of the Processor Interface Unit (PIU). 

4.1 Introduction. 

To complete the specification of the PIU, a top-level specification of the required behavior of the PIU 
must be written. This behavioral model should describe the actions of the device with respect to its environ- 
ment and internal state. 

The PIU is essentially a bus controller. However, there are some differences: the PIU contains special 
features for fault tolerance and dependability, such as an encoding of words sent to memory for error cor- 
rection and the ability to select between two processors depending on the results of a power-on self test 

Our goal is to model each of the concurrent portions of file PIU individually using an interpreter (as dis- 
cussed in Section 2) and to show that a composition of these interpreters entails the behavior of a more 
abstract model. At first, we believed that the composite behavior of the PIU could be described using the 
interpreter model as well. However, we found that the high-level behavior of a device such as the PIU is 
not easily modeled as an interpreter. 

An interpreter is a computational device with one major control point. That is, one of a set of instruc- 
tions is chosen based on the current state and that instruction is used to process the state; following the exe- 
cution of the instruction, the process begins anew. While interpreters describe many interesting devices, the 
model is too restrictive to describe the PIU. 

There are at least three aspects of the intended behavior of the PIU that make it difficult to describe using 
existing techniques: 

• The feature of a bus controller that causes the greatest difficulty in using an interpreter model to describe 
it is its concurrency — a bus controller does many things at once. For example, most bus controllers con- 
tain timers that, in conjunction with an on-board interrupt controller, can interrupt the CPU. These timers 
operate concurrently with other portions of the bus controller, such as memory and network operations. 

• A typical top-level specification of the PIU might include the memory subsystem because this corre- 
sponds to the CPU’s view of the PIU (see the next section for a more complete discussion of this). This 
shared state between the PIU and other devices makes description using an interpreter model difficult 

• The outputs of the PIU do not correspond on a one-to-one basis with the inputs; there is a many-to-one 
relationship between the outputs and inputs. The interpreter model assumes that the output at a particular 
time is described by a function on the current state and environment. The PIU may make several outputs 
in sequence because of a single input request (a block memory read request is a good example). 

In exploring possible models for use in describing the behavior of hardware devices such as bus con- 
trollers, we were concerned with the following issues: 

• The notation and semantics should be amenable to embedding and automation in an automatic theorem 
prover such as HOL. 

• The model and notation should be sufficiently general to allow a large number of interesting devices to 
be described. 

• The model and notation should be sufficiently defined to allow a rich set of theorems to be proven about 
it in isolation of any particular applicatioa 
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Figure 4.1: The view from the CPU. 


4.2 Abstract Views 

Before exploring specific notations for describing the PIU, we consider some of the features of the PIU 
that make its behavioral specification interesting. These abstract views contribute to the understanding nec- 
essary to specify its operation. In general, the behavior of the PIU can be looked on as a combination of 
behaviors from different viewpoints: that of the CPU, the network, and the memory. In order to simplify the 
discussion that follows, we will ignore certain behaviors of the PIU. In particular, we will assume that the 
start— up processor is finished and that the PIU is in steady— state operation. 

Figure 4.1 shows the abstract view of the PIU from the CPU. In this view, the CPU sees the combination 
of die PIU, Network, and Memory (PNM) as a monolithic address space. Similarly, interrupt signals can be 

viewed as coming to the CPU from this abstract object rather than the individual components. 

In the CPU view, when the CPU issues a read request to the PNM, the PNM responds with the informa- 
tion located at the virtual address given by the CPU. The actual location of the requested data, that is, 
whether it resides in local memory, remote memory, or a register in the PIU, is abstracted away. Similarly, 
when the CPU issues a write request, it does not know whether the request will update local memory, remote 
memory, or a register in the PIU. 

Of course, inside the CPU view, the PIU either responds to requests from the CPU itself, or by issuing 
other requests to the network or the memory. Specifying what requests the PIU makes to other devices in 
response to a request from the CPU can be viewed as a specification of the implementation of the PNM. 
Another way of viewing these requests is that they will be specified in the other views of the system. The 
latter is the method we employ. 

Figure 4.2 shows the view from the memory. The memory can be viewed as a processor, albeit a simple 
one. In the memory view, the PIU/CPU/Network abstraction (PCN) makes memory read and write requests 
and the memory responds appropriately. Because the memory device is simple, it makes no requests of the 
PCN itself, but only responds to requests. 

The fact that some of these requests originated with the CPU and others with other hosts on the network 
is abstracted away. Inside the PCN abstraction, of course, the requests to the memory are originating with 
the CPU or the network and after some processing by the PIU (such as error correction encoding and decod- 
ing) are being passed on. The relationship between requests from the CPU and the network do not necessar- 
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Figure 42 : View from the Memory. 

ily correspond on a one-to-one basis with the requests sent to the memory. A single request from the CPU 
may result in many requests to the memory. 

Figure 4.3 shows the view of the PIU from the perspective of the network. In this view, the PIU, mem- 
ory, and CPU are abstracted into a single object (PMC). This is, perhaps, die most complex abstraction. Hie 
network makes requests of the PMC and the PMC makes requests of the network. These requests are pri- 
marily memory read and write requests. 

The problem with the views presented in Figures 4. 1—4.3 is that the abstractions include the behavior of 
the CPU, network, and memory. Our goal is to specify the behavior of the PIU independent of the devices 
to which it is connected. Each of these views can be thought of as a specification of the abstract interface to 
one portion of the PIU. As Figure 4.4 shows, we can superimpose the specifications on one another. The 
union of the PNM, PCN, and PMC specify the behavior of the entire unit Their intersection, denoted by the 
shaded area, is meant to represent the behavior that is specific to the PIU. 



Figure 4.3: View from the Network. 
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While we feel that this is a good way to think about the behavior of the PIU in abstract, we are not con- 
vinced that it is an appropriate method of specifying the behavior of the PIU. Before such a decision can be 
made, we will need to do further work. Primarily, we would like to attempt to model the specification of a 
small device in this way and evaluate the specification for readability and ease of use in verification. 

4.3 Representing Transaction Systems 

The last section discussed the specification of the abstract interfaces of the PIU, but ignored the details 
about how those specifications would be written. We talked abstractly about transactions between the PIU 
and other system components, but the question remains of how to represent those transactions. 

One of the difficulties of representing the PIU was touched upon in the last section. If we were only 
faced with the problem of representing a transaction system such as the PNM (PIU, network, and memory 
abstraction), the problem would be much simpler. The model would consist of a set of response functions 
associated with incoming transactions. For each incoming transaction, the response function would update 
the state of the system and generate an outgoing response based on the current value of the state. 

In the model shown in Figure 4.4, the PIU is not a transaction system, but a transaction translation sys- 
tem. The PIU cannot generate a response until it issues requests of its own and receives answers to those 
requests. In addition, there may be state internal to the PIU that needs to be updated and affects the response. 

The ultimate goal of the work presented in this report is not to just specify the PIU, but to verify that 
specification against a lower-level specification. This goal creates several criteria that limit our choice of 
notation for the behavioral specification: 

1. The notation must be capable of specifying concurrent operations of the PIU. 

2. The notation must be capable of describing the PIU independent of the other devices to which it might 
be attached (i.e., the state of those devices should not be a necessary part of the PIU specification. 

3. The notation must allow a many-to-one relationship between outputs and inputs. 

4. The final specification must be concise and readable. We would like to be able to look at the specification 
and capture some overall feeling for what it means. Without this level of abstraction, it is very difficult 
to determine whether the specification is correct or not. 

5. The notation must have, or be amenable to building, a collection of theorems about it so that we can rea- 
son about the specification and its relationship to the lower-level implementations. 
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6. The notation must be mechanizable and, since our verification system of choice is HOL, be representable 
in the HOL logic. 

There are a number of candidate notations: 

1. We could attempt to represent the transactions in HOL without resorting to any specific notation (i.e., 
raw HOL). We consider the generic interpreter theory (GIT) to be a representation of one kind of com- 
putational object in raw HOL. The use of raw HOL to represent transactions implies that we would build 
a model similar to the GIT, but capturing the abstractions envisioned in the previous section. 

The advantages of this approach are that the model is likely to be tailored to the structure of the PIU more 
closely t han with the other approaches. This means that the meaning of the specification may be clearer. 
Our experience with the GIT has shown us that abstract models built in HOL can be a fruitful avenue of 
exploration because they yield a great deal of information to aid in understanding the structure at hand. 
These models lend a structure to the specification and verification task that is usually not there otherwise; 
the model states explicitly what definitions must be made to complete die specification and which lem- 
mas need to be proven to complete the verification. 

The disadvantages of using raw HOL are that the model of a transaction system would have to be built 
and useful theorems about this model would have to be proven. This task is usually more easily done 
when at least one concrete specification of the type being modeled has been built. This prototype speci- 
fication serves to guide the model development. 

2. We could use temporal logic. The primary benefit of temporal logic is that transactions entail describing 
and reasoning about actions that will occur in the future because of something that occurs now. For ex- 
ample, when the CPU sends a memory read transaction to the PIU, this creates an obligation in the PIU 
to respond to the request in the future. In between receiving the request and answering it, the PIU would 
engage in a number of transactions with the network, memory, or both. 

The pri mar y advantage of temporal logic is that there has been much work in the area and it has been 
successfully used to model hardware devices in other specification efforts. 

The disadvantage is that it is as general as any other general purpose logic and thus, while expressive, 
would not serve to structure the specification. 

3. We could use a well-developed process algebra [Hen88, Hoa85, Mil89a, Mil89b, Mil89c]. Milner 
[Mil89a] presents a calculus of communicating concurrent processes called CCS; CCS is perhaps the 
best known process algebra. In process algebras, the specification concentrates on die communication 
between processes. The specification of the PIU would entail a specification of the events that occur and 
the events that follow from them. 

There are several advantages to using a process algebra. Process algebras are well understood and there 
are several popular ones from which to choose. This implies that there are also a great many theories 
developed and ready for use in a proof effort To the extent that deduction rules and theorems about the 
process algebra can be mechanized in HOL, the job of proving properties of the specification will be 
eased. Indeed, several of the most popular process algebras have been mechanized in HOL and are avail- 
able for use [Sch91, Cam89, Mel91]. These mechanizations are in various states, so the amount of effort 
in using one is difficult to predict. 

The disadvantages are similar to those of temporal logics. We fear that the specification will be largely 
ffee-form because of the generality of the specification language and thus not structure the problem 
enough to make the specification and verification methodical. 

4. We could use a formal model of a coordination language such as LINDA [But91] to model the actions 
of the system. In this model, the PIU, CPU, memory, and network are modeled as communicating in a 
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common area called tuple space. Figure 4.5 shows how this would look. In this model, the PIU writes to 
and reads from tuple space along with the other devices in the system. We can think of tuple space as an 
abstract model of the bus. 

We have given considerable thought to this option. The advantage of this option is that the model is gen- 
eral and seems to be useful for describing ensembles of coordinated processes. The disadvantage is that 
the model is not yet fully formalized (not to mention mechanized), and thus there would be considerable 
work before we could begin using the model. Also, we consider this model to be better suited to describ- 
ing interactions between system components (how ever they are specified) rather than specifying die 
components the ms elves. Thus, we plan to pursue the formalization of LINDA as a model for composing 
specifications, rather than for the specifications themselves. 

Overall, we believe that approach (1) has the most promise and meets the criteria that we outlined above. 
We do, however, recognize that there is a rich body of research surrounding process algebras and thus will 
draw on that wherever possible. Indeed, much as the GIT looks similar to a state machine, but has specific 
features designed to specify and verify microprocessors, our transaction model will look similar to existing 
process algebras but have features specific to specifying and verifying hardware devices such as the PIU. 

4.4 Preliminary Transaction Model Design 

This section discusses some preliminary design concepts for the transaction model and gives our devel- 
opment plans. 

4.4.1 The Transaction Model 

Our preliminary transaction model contains elements common to other behavioral models, augmented 
by features targeting transaction-level behavior. 



Figure 4.5: Modeling the Buses in a Computer System using Thple Space. 
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4.4.1.1 Ports 


A transaction system has a number of ports. The system will receive requests on input ports, send 
requests on output ports and communicate data on data ports. Our model will have an alphabet of port names 
that can be used to identify ports uniquely. 

4.4.1. 2 State 

The transaction system will have internal state. This state will be represented in a concrete object as a 
tuple, but in the model will be represented abstractly. 

4.4.1.3 Transactions 

A transaction will be a triple consisting of an identifying request (taken from an alphabet of possible 
requests), a state transition function used to update the state, and a set of port-request function pairs repre- 
senting the requests to be sent and the ports to issue them on in response to the transaction request The 
request functions use the current state and values on the data ports to generate a request. 

4.4.1.4 Operation 

The model will be driven by request events. The model will consist of a set of transactions for each input 
port. The set represents the legal requests on that port For each input port, the model will, in parallel, read 
a request, find the appropriate transaction in its transaction set, and use that transaction to update the state 
and issue requests on output ports. 

4.4.2 Development Plan and Comments 

We plan to refine the preliminary concepts outlined above as follows: 

1 . Build a function program in ML of the behavior of the PIU based on the model present above. The pro- 
gram will allow us to exercise the model and determine where there are problems. We chose ML since 
it is close to the syntax of HOL and will be readily converted into HOL when we are satisfied with it. 

2. The program built in the previous step will be specific to the PIU. Our plan is to generalize that program 
into an abstract model of transaction systems. We plan to use the results of the experiments in the previ- 
ous step to guide a formalization of the general model in HOL. Careful design of the abstraction in the 
program will make this task easier. Provided that the results of the experiments yield favorable results, 
we do not anticipate formalization to be a large effort. 

3. After the model has been formalized, we will need to use it to assess its utility and determine what lem- 
mas need to be proven in the abstract theory to enable effective reasoning in the concrete model. There 
is no way to determine what these theories will be until the model is used the first time. 

4. As the model is used, there will undoubtedly be refinements and extensions. Our experience with the 
generic interpreter theory has shown that refining and extending abstract theories is not an arduous task 
and anticipate that the same will be true of the new model. 

There are several areas that may lead to difficulties: 

• The model specifies each input port separately (in the spirit of the abstract views of Section 4.2). There 
will have to be coordination between ports due to shared state and output ports. The network port and 
the CPU port cannot both issue requests of the memory port simultaneously. This, of course, is also a 
restriction in the design. Our problem is not what coordination to perform, since that exists in the PIU 
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already, but how to represent such coordination in the model. We hope that process algebras will give us 
some guidance. 

• The state is shared and thus may be updated by several ports at once (provided that such updating does 
not cause interference). We hope that partial specifications of the changes, represented by predicates 
rather than functions, will solve this problem. 

. We have ignored the start-up operation of the PIU in our model. We do not believe that this is a problem 
since the start-up portion of the chip operates in sequence with the rest of the PIU components. We can 
model the start-up portion using an interpreter or transaction system (whichever is more appropriate) and 
choose the behavior of the start-up device or the PIU device depending on the current state. 

• The PIU has a number of on-board clocks that serve as interrupt timers. W e hope that they can be mod- 
eled using the concepts presented in this chapter by looking at the external clock port as another input 
port with its own set of transactions. One of those transactions will trigger interrupts when the state is 
correct. 

4.5 Conclusions 

Hardware devices such as the PIU present a unique challenge for behavioral specification. They differ 
from interpreters primarily in that there is a large amount of course-grained parallelism and they do not con- 
trol all the state that they are expected to impact The overall system (PIU, CPU, network, and memory) 
could be modeled as an interpreter, but our desire is to model the PIU independently. 

One could just make a laundry list of all the actions that occur and use this as the specification, but the 
result would be nearly unreadable for a complex device such as the PIU. Our goal is to create an abstraction 
that organizes that behavior so that the specification is readable as well as useful for verification. An unread- 
able specification is likely to be wrong. 

The research presented here is only a start at the top-level specification of the PIU. We plan the follow- 
ing follow-on work: 

• The preliminary transaction model must be refined as presented in Section 4.4. The models need to be 
tested on the PIU design for utility. Furthermore, the model needs to be formalized in HOL. 

• Further work must be done on the composition of our abstract-view approach to behavior. We plan a 
further review of the literature for applicable work and a small test study involving a small device with 
a simple semantics, but more than one interface, to determine whether composing the abstract behaviors 
of the interface is sufficient to represent behavior. 

• We intend to pursue the formalization of the LINDA coordination language since it seems a likely can- 
didate model for composing the specification of the PIU with the specifications of the CPU, memory, 
and network. This composition would be used to implement a more abstract view of the system. This 
work does not have consequences for the top-level specification of the PIU itself but may be important 
for future compositions. 
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5 Towards an Integrated Simulation/Verification Environment 

This section describes work that links the M hardware description language and the HOL theorem prov- 
ing system. 

The M hardware description language is part of a simulation and synthesis system from Mentor Graph- 
ics Corporation. M is a superset of C with extensions for efficiently describing hardware. 

The goal of the work presented in this section was to develop a prototype translator for converting M 
descriptions to the equivalent HOL descriptions. We chose to describe tire implementation of the PIU in M 
for several reasons: 

• Engineers working on the project are more comfortable with M descriptions than they are with the logic 

of HOL. This is probably because of the similarity of M to imperative programming languages in which 

most engineers are schooled. 

• M descriptions can be executed. This allows the specifications to be animated, providing a form of sim- 
ulation. Engineers can observe the operation of the specification in an effort to judge its correctness. 

The translator described here is a prototype tool. We have used the AWK programming language 
[ Aho88] to construct a parser for the subset of M actually used in the description of the PIU. In addition to 
parsing M, the tool generates HOL statements corresponding to the input The generation is done on an ad 
hoc basis — no attempt has been made to describe the semantics of M formally. 

The translator between M and HOL is important because a hand translation would be tedious and error 
prone. Using a machine translation, even one done informally, provides consistent translations. When an 
error in a translation is found, the translator can be corrected and the other translations redone to ensure that 
the error does not affect other specifications as well. 

Future work may include a more formal translator between M and HOL if we determine that M descrip- 
tions are usefiil. The more formal translator would include a parser built into the HOL theorem prover as 
well as a formal semantic description. The translation would be done completely within the theorem prover 
for added assurance. 

The following section will discuss data types developed for use with the model. We will not discuss the 
actual translation process in detail, but we will give a simple example of an M description of a finite state 
machine and its equivalent form in HOL as produced by the M-to-HOL translator The HOL definitions are 
intended to be used with the generic interpreter model described in Section 2 of this report 

5.1 New Datatypes in HOL 

In order to translate M to HOL, we had to make type definitions in HOL that correspond to the types 
used in the M language. Two of the more involved type definitions were arrays and n-bit words. 

5.1.1 Arrays 

Since M is a superset of C, M descriptions make heavy use of arrays. HOL does not have a built-in array 
type, but arrays are easy to model in higher-order logic using functions. In general we treat an array of 
objects as a function from the natural numbers to the same objects. There are four basic operations on arrays 
in M that needed to be defined in HOL: array indexing, array assignment, array subsetting, and subarray 
assignment 

Array Indexing. In M, arrays are indexed using bracket notation. In HOL, since arrays are just func- 
tions, arrays are indexed by function application. Thus, the M term x[i] is written in HOL as (x i). 

Array Assignment. In M, one can use an indexed array variable as the lvalue in an assignment state- 
ment. Logic does not have assignment, so the corresponding definition is functional. We define a function 
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called ALTER that operates on an array, an index, and a value and returns a new array witfi the value stored 
in the array at the index given. All other values are unchanged. Thus, the M term x[i] = y is written (ALTER 
x (7J yj in HOL. 

Array Subsetting. In M, one can use a subarray in an expression. TheHOL function SUBARRAY serves 
the same purpose. Thus, the M term x[15:5] (which represents an 1 1-element array with location 0 holding 
the same value as x[5], location 1 holding the same value as x[6], and so on) would be written in HOL as 
SUBARRAY x (15,5). 

Subarray Assignment. In M, one can assign arrays to portions of an existing array. The HOL function 
that does this is called MALTER. The M term x[ 15:5 ] = y, would be written in HOL as M ALTER x (15,5) y. 
The theory of arrays also contains theorems pertaining to these definitions that aid in reasoning about 

arrays. 

5.1.2 N-Bit Words 

N-bit words are defined in M using arrays of booleans. Since we represent arrays as functions, the nat- 
ural representation for n-bit words is a function from the natural numbers to the booleans. The theory of n- 
bit words that we defined uses this representation and makes definitions that allow die representation to be 
usable. There are four kinds of definitions in the n-bit word theory: 

1. Definitions that interpret the meaning of an n-bit word. 

2. Definitions that create n-bit words with special meanings and give them a name. 

3. Definitions that test an n-bit word for a given property. 

4. Definitions that operate on n-bit words. 

There are two major functions for interpreting n-bit words: VAL and WORDN. VAL returns the numeric 
value of an n-bit word. WORDN returns the n-bit word representing a given number. 

There are a number of functions for creating special n-bit words. We will not discuss all of them here, 
but only give a few examples. SETN returns an n-bit word with all of its bits set Similarly, RSTN returns 
an n-bit word with all of its bits false. 

Examples of test predicates include ONES which tests if all the bits in a word are true and ZEROS which 
tests if all the bits in a word are false. 

Operations on n-bit words implement common boolean and arithmetic operations on n-bit words. For 
example, NOTN returns the n-bit complement of a word. INCN returns the n-bit word resulting from adding 
1 (modulo n) to its argument. 

So far, the theory does not contain many theorems regarding these definitions and their relationship to 
one another. These theorems will be proven as necessary. 

5.2 An Example in M 

The following example shows how a finite state machine is described in M. For brevity, the description 
contains only one state, SI ; a more realistic description would contain more states, as well as more logic 
variables. The example does illustrate some of the features of M that required translation such as logic oper- 
ations, array subranging, and the mixture of output and logical statements in the same context. 
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/**********★★********★★****★★*******★*★★****************** 
Module: test.M 

Authors: David Fura / Phillip Windley 

Date: 13MAR92 

Example of M description for translation. 
**********************************************************/ 
#defineVl 1 
♦define V2 2 
MODULE test { ) { 

/* State variables : */ 

MEMORY LOGIC new_A, A; 

MEMORY LOGIC new_B , B; 

MEMORY LOGIC new_C [ 32 ] , C [ 32 ] ; 

/ * Output variables : * / 

OUT I_X[32] ; 

/ * Input variables : * / 

IN Clock; 

IN Rst ; 

INITIALIZE { } 

SIMULATE { 

switch (Decode (Clock) ) { 
case SI : 

new_A= (C == VI) II (C!=V2); 
new_B = (C == VI) && new_A; 
new_C = wr ( C , 1 ) ; 

I_X [31] = new_A 
? Clock 
: Rst; 

I_X [30 : 29 ] = new_C [1:0]; 

I_X [28:0] = new_B 
? new_C [28:0] 

: I_X [28:0] ; 
break; 
default : 

PRINT ( * \nILLEGAL" ) ; 
break ; 

} 

} 

) 
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5.3 An Example in HOL 

The following code represents the translation of the M code in the last section into HOL by the prototype 
translator developed for this project. No substantive changes have been made to the text Except for inden- 
tation and spacing, everything is just as the translator produced it. 

let VI = -1'; ? 

let V2 = *2* ; ; 

let test_state = ( (A, B, C) : bool # bool # wordn) ; ; 

let test_inputs = ( (Rst, Clock) : bool # bool) ; ; 

let test_outputs = ( (I_X) : wordn) ; ; 

let Sl_inst_def = new_def inition 
( ' Sl_inst ' , 

*Sl_inst ~test_state ''test.inputs = 

let new_A = (C = (WORDN A V1) ) \/ (~ (C = (WORDN ~V2) ) ) in 

let new_B = (C = (WORDN ^Vl) ) /\ new_A in 

let new_C = wr (C , (WORDN 1 ) ) in 
(new_A, new_B, new_C) * 

) • • 

let Sl_out_def = new_def inition 
( ' SI out ' , 

*Sl_out ^test_state / 'test_inputs = 

let new_A = (C = (WORDN ~V1) ) \/ (~ (C = (WORDN "V2 ) ) ) in 

let new_B = (C = (WORDN A V1) ) /\ new_A in 

let new_C = wr (C , (WORDN 1 ) ) in 
let I_X_3 1_3 1 = new_A 
=> Clock 
I Rst in 

let I_X_30_29 = ( SUBARRAY new_C (1,0)) in 
let I_X_28_0 = new_B 
=> ( SUBARRAY new_C (28,0)) 

I (SUBARRAY I_X (28,0)) in 
let I_X = (MALTER 
(MALTER 

(MALTER I_X (31,31) I_X_31_31) 

(30,29) I_X_30_29) 

(28,0) I_X_28_0 ) in 

(I_X) * 

) ; ; 

The translator does a good job of translating most M programs into HOL. The largest limitation on its 
use is the simple type analysis that is done. A more thorough type analysis would catch some of the infre- 
quent errors, but would have made the translator much more complicated. If a translator based on formal 
semantics is constructed, we will overcome this limitation. 
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6 Conclusions 


We have completed the design specification for a processor interface unit (PIU) and identified the mod- 
eling approach to be used for the requirements specification. Along the way we have made progress in inte- 
grating our hardware design and verification environments into a single unified framework. 

In performing this task a number of important conclusions have been reached concerning the state-of- 
the-art in formal specification, using HOL, with respect to the demands of real-world hardware systems. 

The generic interpreter theory, described in Section 2, was shown to work well in a real-world hardware 
application. It is clear that this theory, which was initially funded by NASA in a previous task [Win90], fits 
applications well beyond the domain of microprocessors for which it was originally used. Our introduction 
of outputs into the theory accommodates the composition of subsystems modeled as interpreters, and 
enhances the theory’s applicability to future system modeling problems. 

Developing the lower five levels of the PIU specification hierarchy, described in Section 3, stretched 
existing specification tools and techniques to their limit Tb illustrate the size of this modeling problem, the 
five phase-level specifications together required equations for 280 state variables and 60 output variables. 
The PIU clock-level model caused overflows in three different stacks in the original Lisp implementation 
used to build the HOL system. 

Because of delays in the PIU design schedule, this task began while the design was still undeigoing con- 
siderable change. Due to the multiple specification levels and the lack of any significant automation, mod- 
ifying our models to reflect these changes required much more effort than that required by the design team, 
for example. As a result, the total effort required to complete the design specification was far greater than 
necessary. Although previous formal specification and verification efforts appear to have begun only after 
the design was finalized, and therefore didn’t face this problem, formal methods will be most useful when 
they can be applied before a chip is initially fabricated, and thus before the design is finished as well. Based 
on this experience it is clear that major improvements are needed in the tools used to develop future design 
specifications. 

Perhaps our most significant discovery is that current hardware specification approaches, although suit- 
able for the lower levels of the PIU specification hierarchy, are inadequate for the topmost level. This moti- 
vated us to investigate the alternative modeling techniques described in Section 4, from which we have 
defined a preliminary model for use in formalizing a new transaction-based modeling level. 

Although not explicitly part of this task’s description, we have made progress in integrating our hard- 
ware design and verification environments to support this and future work. The M-to-HOL translator, 
described in Section 5, performs a nearly-complete translation of suitably-formatted M-language models 
into HOL. The utility of this tool was demonstrated by our translation of all the port-level behavioral models 
from their definitions in M. Although this translation is not based on a formal semantics for M, it provides 
a consistent translation capability that is available for use now. It should have an immediate impact on pro- 
ductivity for the next chip specification. 

The work presented in this report has made a significant contribution to the specification and verification 
of real-world devices, but much remains to be done. In particular, this report has outlined the following 
tasks: 

1. Before work on the specification of the top level can be completed, the formal model of the transaction 

level must be completed. Section 4 gives a more detailed plan for completing this work. 

2. The specification hierarchy was outlined in Section 3, but this task did not include the completion of the 

specification. In particular, the PIU top-level specification remains to be written. 
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In addition to the work that must be completed to finish the specification, there are a number of open 

questions that have a direct bearing on how this work is used: 

1. The proofs of correspondence between levels in the specification hierarchy should be completed. The 
specification process itself is useful because it gives designers an abstract view of the device and aids 
understanding. The detailed examination entailed in the specification is useful for finding errors. How- 
ever, the primary benefit of a formal specification is that it is amenable to analysis. 

2. If we intend to use the top-level specification along with specifications of other devices in the PMM, 
such as the CPU and memory, to write a specification of the PMM, a model of composition must be de- 
veloped. Section 4 recommended a formalization of LINDA as that model, but no work has been done 
to explore the feasibility or utility of this method. 

3. The translation between M and HOL is being done in a prototype system written in AWK. A more formal 
approach, with more confidence in its correctness, would be to embed M in HOL. This would involve 
defining the syntax of M (or a reasonable subset) in HOL and then defining a formal semantics of M for 
use in the translation. Because the translation would be done by the verification system itself, we could 
have increased confidence that the HOL model corresponded to the M model. 
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Appendix A ML Source for Component Specifications. 

This appendix contains the HOL models for components used in the gate-level specification for the PIU 
ports, as well as auxiliary definitions for n-bit words implemented as arrays and array accessing functions. 

% 

File: gates_defjnl 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the combinational logic gates used in the gate-level description of the 
FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

% 


system ‘rm gates_def.th*;; 

new_theory ‘gates_def‘;; 

map new_parent [‘aux_def ];; 

let NOT_SPEC = new_definibon 
CNOT_SPEC\ 

“I az . 

NOT_SPEC a z = 

(1 t:time . z t = -a t) M 

);; 

let AND2_SPEC = new_definition 
( 4 AND2_SPEC\ 

“!abz. 

AND2_SPEC a b z = 

(I t:time . z t = a t A b t)” 

);; 

let AND3_SPEC = new_definition 
( 4 AND3_SPEC\ 

M ! ab cz . 

AND3_SPEC a b c z = 

(I tdme .zt=atAbtAc t)” 

);; 

let OR2_SPEC = new_definition 
(*OR2_SPEC\ 

“I abz. 

OR2.SPEC a b z = 

(! ttime . z t = a t V b t)” 

);; 

let OR3_SPEC = new_definition 
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( 4 OR3_SPEC\ 

“labcz. 

OR3__SPEC a b c z = 

(! t:time .zt = atVbtVc t)” 

);; 

let NAND2.SPEC = new__definition 
( 4 N AND2_SPEC 1 , 

“! a b z . 

NAND2_SPEC a b z = 

(! tdme . z t = ~(a t A b t))" 

);; 

let NAND3_SPEC - new_definition 
( 4 NAND3_SPEC\ 

M !abcz. 

NAND3_SPEC a b c z = 

(1 tdme . z t » -(a t A b t A c t))” 

);; 

let BUF_SPEC = new_definition 
( 4 BUF_SPEC‘, 

“! (a:time->*) z . 

BUF.SPEC a z = 

(1 tdme . z t = a t)” 

);; 

let TRIBUF_SPEC = new_definition 
(*TRIBUF_SPEC\ 

44 1 (a:time->*) e z . 

TRIBUF_SPEC a e z = 

(! tdme . (e t) => (z t = a t))” 

);; 

close_theory();; 


File: 

latches_def.ini 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the latches used in the gate-level specification of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 


system l rm latches_def.th‘;; 
new_theory 4 latches_def‘;; 
map new_parent [‘aux_def‘ ];; 
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One-bit D-latcb, no set, no reset, no enable. 


let DLAT_SPEC = new_definition 
( 4 DLAT_SPEC\ 

44 1 (din:bme->bool) elk state qout . 
DLAT_SPEC din elk state qout = 

1 t:time . 

(state (t+1 ) = (elk t) => din 1 1 state t) A 
(qout t = state (t+1))’ 4 


One-bit D-latcb, with set, no reset, no enable. 


% 


let DSLAT_SPEC = new_defmition 
( 4 DSLAT_SPEC‘, 

“I (din:dme->bool) set elk state qout . 

DSLAT_SPEC din set elk state qout = 

I t:time . 

(state (t+1 ) = (elk t) => ((set t) => T I din t) I state t) A 
(qout t = state (t+1))” 


% 

One-bit D-latch, no set, with reset, no enable. 


% 


let DRLAT_SPEC = new_defiaition 
(DRLAT_SPEC\ 

44 ! (din:time->bool) rst elk state qout . 

DRLAT_SPEC din rst elk state qout = 

I t:time . 

(state (t+1) = (elk t) => ((rst t) => F I din t) I state t) A 
(qout t = state (t+1 ))” 


% 

One-bit D-latch, with set, with reset, no enable. 


■% 


let DSRLAT_SPEC = new_definition 
( 4 DSRLAT_SPEC‘, 

44 1 (din:time->bool) set rst elk state qout . 
DSRLAT_SPEC din set rst elk state qout = 

1 trtime . 

(state (t+1 ) = (elk t) => ((set t A -rst t) => T I 
(-set t A rst t) => F I 
(-set t A -rst t) => din 1 1 
ARB) I 

state t) A 
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(qout t = state (t+1))’ 




One-bit D-latch, no set, no reset, with enable. 


let DELAX_SPEC = new_definition 
( 4 DELAT_SPEC\ 

u | (din:dme->bool) en elk state qout . 

DELATES PEC din en elk state qout = 

! t:time . 

(state (t+1 ) = (elk t A en t) => din 1 1 state t) A 
(qout t =s state (t+1 ))” 

);; 


One-bit D-latch, no set, with reset, with enable. 

% 


let DRELAT_SPEC = new_definition 
(‘ DREL AT_S PEC 4 , 

44 ! (din:time->bool) rst en elk state qout 
DREL AT_S PEC din rst en elk state qout * 

! t:time . 

(state (t+1) = (elk t A en t) => ((rst t) => F I din t) I state t) A 
(qout t = state (t+1))" 


One-bit D-latch, with set, no reset, with enable. 


-% 


let DSELAT_SPEC = new_de6nition 
( 4 DSELAT_SPEC‘, 

4 M (din:time->bool) set en elk state qout . 

DSELAT_SPEC din set en elk state qout = 

I t:time . 

(state (t+1) = (elk t A en t) => ((set t) => T I din t) I state t) A 
(qout t = state (t+1))" 


One-bit D-latch, with set, with reset, with enable. 


-% 


let DSRELAT_SPEC = new_definition 
( 4 DSRELAT_SPEC\ 

“! (din:time->bool) set rst en elk state qout . 

DSRELAT_SPEC din set rst en elk state qout = 

! t:time . 

(state (t+1 ) = (elk t A en t) => (( set t A -rst t) => T I 

(-set t A rst t) => F I 
(-set t A -rst t) => din 1 1 
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ARB) I 


state t) A 

(qout t = state (t+1))” 

);; 


% 

Multiple-bit D-latcb, no set, no reset, no enable. 


% 


let DLATn_SPEC = new_definition 
( 4 DLATn_SPEC 4 , 

“! (din: time- >wordn) elk state qout . 
DLATn_SPEC din elk state qout = 

! t:time . 

(state (t+1 ) = (elk t) => din 1 1 state t) A 
(qout t = state (t+1))” 

);; 

close_theory();; 


File: ffs_defjnl 

Author (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the flip-flops used in the gate-level specification of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

% 


system 4 nn ffs_def.th\; 
new_theory 4 ffs_def ;; 
map new_parent ( 4 aux_def);; 

One-bit flip-flop, no set, no reset, no enable. 

-% 


let DFF_SPEC = new_definition 
(‘DFF„SPEC‘, 

44 1 (din:time->bool) elk stateO state 1 qout . 

DFF_SPEC din elk stateO state 1 qout = 

(I tdme . (stateO (t+1) = (-elk t) => din 1 1 stateO t) A 
(state 1 (t+1 ) = (elk t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))” 


% 

One-bit flip-flop, no set, with reset, no enable. 
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let DRFF_SPEC = new_definition 
( 4 DRFF_SPEC\ 

M ! (din:time->bool) rst elk stateO statel qout . 

DRFF_SPEC din rst elk stateO statel qout = 

(! ttime . (stateO (t+1 ) = (-elk t) => (rst t => F I din t) I stateO t) A 
(statel (t+1) = (elk t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))*’ 


% 

One-bit flip-flop, with set, no reset, no enable. 


let DSFFLSPEC = new_definition 
(*DSFF_SPEC‘, 

“f (din:time->bool) set elk stateO statel qout . 

DSFF_SPEC din set elk stateO statel qout = 

(! ttime . (stateO (t+1) = (-elk t) => (set t => T I din t) l stateO t) A 
(statel (t+1) = (elk t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))” 


% 

One-bit flip-flop, with set, with reset, no enable. 


let DRSFF_SPEC = new_definition 

(‘DRSFF_SPEC‘, 

44 ! (din:time->bool) rst set elk stateO statel qout . 

DRSFF_SPEC din rst set elk stateO statel qout = 

(! ttime . ((-elk t A set t A -rst t) => stateO (t+1) =T) A 
((-elk t A -set t A rst t) => stateO (t+1) = F) A 
((elk t V -set t A -rst t) => stateO (t+1) = stateO t) A 
(statel (t+1) = (elk t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))” 


One-bit flip-flop, no set, no reset, with enable. 


let DEFF_SPEC = new_definition 
(‘DEFF_SPEC\ 

“I (din:time->bool) en elk stateO statel qout . 

DEFF_SPEC din en elk stateO statel qout = 

(! ttime . (stateO (t+1) = (-elk t) => din t \ stateO t) A 

(statel (t+1) = (elk t A en t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))” 

);; 


Multiple-bit flip-flop, no set, no reset, with enable. 
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% 


let DEFFn_SPEC = new_definition 
( 4 DEFFn_SPEC‘, 

44 ! (din:dme->wordn) eo elk stateO state 1 qout . 

DEFFn_SPEC din eo elk stateO state 1 qout = 

(l ttune . (stateO (t+1) = (-elk t) => din 1 1 stateO t) A 

(statel (t+1) = (elk t A en t) => stateO 1 1 statel t) A 
(qout t * statel (t+1)))” 

);; 


% 

One-bit flip-flop, no set, with reset, with enable. 

% 


let DREFF_SPEC = new_definition 
( 4 DREFF_SPEC\ 

44 1 (din: time- >bool) en rst elk stateO statel qout . 

DREFF_SPEC din en ret elk stateO statel qout = 

(! t: time . (stateO (t+1) = (~clk t) => (rst t => F I din t) I stateO t) A 
(statel (t+1) * (elk t A en t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))” 


One-bit flip-flop, with set, no reset, with enable. 

% 


let DSEFF_SPEC = oew_defimtion 
( 4 DSEFF_SPEC\ 

44 1 (din:time->bool) en set elk stateO statel qout . 

DSEFF_SPEC din en set elk stateO statel qout * 

(! tdme . (stateO (t+1 ) = (-elk t) => (set t => T I din t) I stateO t) A 
(statel (t+1 ) = (elk t A eo t) => stateO 1 1 statel t) A 
(qout t » statel (t+1)))” 


One-bit flip-flop, with set, with reset, with enable. 


■% 


let DRSEFF_SPEC = new_definition 

( 4 DRSEFF_SPEC\ 

44 1 (din:time->bool) en rst set elk stateO statel qout . 

DRSEFF_SPEC din en rst set elk stateO statel qout = 

(1 1 time . ((-elk t A set t A -rst t) => stateO (t+1 ) = T) A 
((-clkt A -sett Arst t) => stateO (t+1) = F) A 
((elk t V -set t A -rst t) — > stateO (t+1 ) = stateO t) A 
(statel (t+1 ) = (elk t A en t) => stateO 1 1 statel t) A 
(qout t = statel (t+1)))” 


close_theory();; 
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File: counters_def.ml 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the counters used in the gate-level specification of the FTEP PIU, 
developed by the Embedded Processing Laboratory, Boeing High Technology Center 

% 


system 4 rmcounters_def.th‘;; 


new_theory 4 counters_def 4 ;; 


map new_parent [ ‘aux__def* ; ‘array_der ; 4 wordn_def 4 ] ;; 


% 

Up-counter, no reset 


let UPCNT_SPEC = new_definition 
( 4 UPCNT_S PEC 4 , 

44 ! size (din:time->wordn) Id up elk stateO statel qout zero . 
UPCNT_SPEC size din Id up elk stateO statel qout zero = 
It: time . 


(stateO (t+1) = (~clk t) => 

((Id t) => din 1 1 

(up t) => INCN size (statel t) I statel t) I 
stateO t) A 

(statel (t+1) = (elk t) => stateO 1 1 statel t) A 

(qout t = (up t) => INCN size (statel (t+1)) I statel (t+1)) A 

(zero t = (up t) => (INCN size (statel (t+1)) = WORDN 0) I (statel (t+1) = WORDN 0))” 


% 

Down-counter, no reset 


-% 


let DOWNCNT_S PEC = new_definition 
(‘DOWNCNT.SPEC 4 , 

44 ! size (din:time->wordn) Id down elk stateO statel qout zero . 
DOWNCNT_SPEC size din Id down elk stateO statel qout zero = 
Ititime . 

(stateO (t+1) = (-elk t) => 

((Id t) => din 1 1 

(down t) => DECN size (statel t) I statel t) I 
stateO t) A 

(statel (t+1) = (elk t) => stateO 1 1 statel t) A 


an ASIC 
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(qout t » (dowo t) => DECN size (statel (t+1)) I statel (t+1)) A 

(zero t = (down t) => (DECN size (statel (t+1)) = WORDN 0) I (statel (t+1) = WORDN 0))” 


Up-counter, with reset 


let UPRCNT_SPEC = new_definidon 
( 4 UPRCNT_SPEC\ 

M 1 size ( din : time ->wordn) Id up rst elk stateO statel qout zero . 

UPRCNT_S PEC size din Id up rst elk stateO statel qout zero = 

!t; time . 

(stateO (t+1) = (~clk t) => 

((Id t) => din 1 1 

(up t) => INCN size (statel t) I statel t) I 
stateO t) A 

(statel (t+1 ) = (elk t) => 

((rst t) => WORDN 0 I stateO t) I 
statel t) A 

(qout t= (up t) => INCN size (statel (t+1)) I statel (t+1)) A 

(zero t = (up t) => (INCN size (statel (t+1)) = WORDN 0) I (statel (t+1) = WORDN 0))” 

);; 


% 

Down-counter, with reset. 


-% 


let DOWNRCNT_SPEC = new_definition 
(‘DOWNRCNT_SPEC\ 

”1 size (din:time->wordn) Id down rst elk stateO statel qout zero . 

DOWNRCNT_SPEC size din Id down rst elk stateO statel qout zero = 
ltrtime . 

(stateO (t+1) = (-elk t) => 

((Id t) — > din 1 1 

(down t) => DECN size (statel t) I statel t) I 
stateO t) A 

(statel (t+1) = (elk t) => 

((rst t) => WORDN 0 I stateO t) I 
state! t) A 

(qout t = (down t) => DECN size (statel (t+1 )) I statel (t+1 )) A 

(zero t = (down t) => (DECN size (statel (t+1)) = WORDN 0) l (statel (t+1) = WORDN 0))” 

);; 

close_theory();; 


File: datapaths_def.ini 

Author: (c) D.A. Fura 1992 
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Date: 


31 March 1992 


This file contains the ml source for the datapath blocks of the R-Port of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 


% 


system 4 nn datapaths_def. th 4 ; ; 
new_theory 4 datapath s_def;; 
map loadf [ ‘abstract 4 ] ;; 

map new^parent [ ‘aux_def‘ ; 4 array_def ; 4 wordn_def 4 1 ;; 
let rep Jy = abstract_type 4 aux_def 4 4 Andn 4 ;; 

% 

Counter block used to build timers. 


let DP_CTR_SPEC = new_definition 
( ‘DP_CTR_S PEC 4 , 

44 1 clkA clkB (busB_in:time->wordn) cir_wr c_ld cir_rd ce cm csrorjd cor_rd 
r_ctr_in r_ctr_mux_sel r_ctr Jrden r_ctr r_ctr_ce r_ctr_cin r_ctr_cry 
r_ctr_new r_ctr_outA r_ctr_out r_ctr_orden busA_outl busA_out2 c_out . 
DP_CTR_SPEC clkA clkB busB_in cir_wr cjd cir_rd ce cin csrorjd cor_rd 

r_ctr_m r_ctr_mux_sel r_ctr_irden r_ctr r_ctr_ce r_ctr_cin r_ctr_cry 
r_ctr_new r_ctr_outA r_ctr_out r_ctr_orden busA_outl busA_out2 c_out = 


tt:time . 

((clkA t) —> 

((r_ctrjn (t+1) = r_ctrjn t) A 
(r_ctr_mux_sel (t+1) = r_ctr_mux_sel t) A 
(r_ctr_irden (t+1) = r_ctr_irden t) A 

(r_ctr (t+1) = (r_ctr_mux_sel t) => r_ctr_in 1 1 r_ctr_new t) A 
(r_ctr_ce (t+1) = ce t) A 
(r_ctr_cin (t+1) = cin t) A 
(r_ctr_cry (t+1) = r_ctr_cry t) A 
(r_ctr_new (t+1) = r_ctr_new t) A 
(r_ctr__outA (t+1) = r_ctr_new t) A 
(r_ctr_out (t+1 ) = r_ctr_out t) A 
(r_ctr_orden (t+1) = r_ctr_orden t))) A 
((clkB t) => 

((r_ctrjn (t+1) = (cir_wr t) => busB Jn 1 1 r_ctr_in t) A 
(r_ctr_mux_sel (t+1) = cjd t) A 
(r_ctr_irden (t+1) = cir_rd t) A 
(r_ctr (t+1) = r_ctr t) A 
(r_ctr_ce (t+1) = r_ctr_ce t) A 
(r_ctr_cin (t+1) = r_ctr_cin t) A 

(r_ctr_cry (t+1 ) = (r_ctr_ce t) A (r_ctr_cin t) A ONES 31 (r_ctr t)) A 
(r_ctr_new (t+1) = ((r_ctr_ce t) A (r_ctr_cin t)) => INCN 31 (r_ctr t) I r_ctr t) A 
(r_ctr_outA (t+1 ) = r_ctr_outA t) A 
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(r_ctr_out (t+1) = (csrorjd t) => r_ctr_outA 1 1 r_ctr_out t) A 
(r_ctr_orden (t+1 ) = cor_rd t))) A 

((busA_outl t = ((r_ctr_irden (t+1)) A (clkA t)) => r_ctr_in (t+1) I ARBN) A 
(busA_out2 1 = ((r_ctr_orden (t+1)) A (clkA t)) => r_ctr_out (t+1) I ARBN) A 
(c_out t = r_ctr_cry (t+1)))” 


% 

Interrupt Control Register (ICR) block. 


% 


let DP_ICR_SPEC = new_defimtion 
( 4 DPJCR_SPEC\ 

M ! (rep.^epjy) clkA clkB (busA_in:time->wordn) busB_in icr_wr_feedback icr_wr icr_select icr Jd icr_rd 
r_icr_oldA r_icr_old r_icr_mask r_icrA r Jcr r_icr_rden 
busA_out icr_out . 

DP_ICR_SPEC rep clkA clkB busA_in busB_m icr_wr_feedback icr_wr icr_select icr_ld icr_rd 
r_icr_old A r_icr_old r_icr _jnask r_icrA r_icr r_icr_rden 
busA_out icr_out = 


It: time . 

((clkA t) => 

(r_icr_oldA (t+1) = busA_in t) A 
(r_icr_old (t+1) = r_icr_old t) A 
(r_icr_mask (t+1) = rjcr_mask t) A 

(r_icrA (t+1 ) = (icr_select t) => Andn rep (r_icr_old t, r_icr_mask t) 

I Orn rep (r_icr_old t, r_icr_mask t)) A 

(r_icr (t+1) = r_icr t) A 
(r_icr_rden (t+1) = r_icr_rden t)) A 
((clkB t) => 

(r_icr_oldA (t+1 ) = r_icr_oldA t) A 

(r_icr_old (t+1) = (icr_wr_feedback t) => r_icr_oldA 1 1 r_icr_old t) A 

(r_icr_mask (t+1) = (icr_wr t) => busB_in 1 1 r_icr_mask t) A 

(r_icrA (t+1) = r_icrA t) A 

(r_icr (t+1) = (icrjd t) => r_icrA 1 1 r_icr t) A 

(r_icr_rden (t+1) * icr_rd t)) A 

((busA_out t = ((r_icr_rden (t+1) A (clkA t)) => r_icr (t+1 ) I ARBN)) A 
(icr_out t = r_icr (t+1)))” 


% 

Control register used to build General Control Register (GCR) and Communication Control Register (CCR). 


let DP_CR_SPEC = new_definition 
( 4 DP_CR_SPEC\ 

“! clkA clkB (busB_in:time*>wordn) cr_wr cr_rd 
r_cr r_cr_rden 
busA_out cr_out . 

DP_CR_SPEC clkA clkB busB_in cr_wr cr_rd 
r_cr r_cr_rden 
busA_out cr_out = 

Ittime . 
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((cikA t) => 

(r_cr (t+1) = r_cr t) A 
(r_cr_rden (t+1) = r_cr_rden t)) A 
((clkB t) => 

(r_cr (t+ 1 ) =s (cr_wr t) => busB_in 1 1 r_cr t) A 
(r_cr_rden (t+1) = cr_rd t)) A 

((busA_out t = ((r_cr_rden (t+1)) A (clkA t)) => r_cr (t+1) I ARBN) A 
(cr_out t = r_cr (t+1 )))’* 


% 

Status Register Block. 




let DP_SR_SPEC = new_definition 
(‘DP_SR_SPEC\ 

44 1 clkA clkB (inp:time->wordn) srorjd sr_rd 
r_sr r_sr_rden 
busA_out . 

DP_SR_SPEC clkA clkB inp srorjd sr_rd 
r_sr r_sr_rden 
busA_out - 

!t:time . 

((clkA t) => 

(r_sr (t+1) = r_sr t) A 
(r_sr_rden (t+1 ) = r _sr_rden t)) A 
((clkB t) ==> 

(r_sr (t+ 1 ) = (srorjd t) => inp 1 1 r_sr t) A 
(r_sr_rden (t+1) = sr_rd t)) A 

(busA.out t = ((r_sr_rden (t+1)) A (clkA t)) -> r_sr (t+1) I ARBN)” 

);; 

closeJbeoryQ;; 


File: 

buses_def jnl 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the buses used in the gate-level specification of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

% 


system ‘rm buses_def.th 4 ;; 


newjheory 4 buses_def‘;; 


map new_parent [ 4 aux_def 4 ] ;; 
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new_type_abbrev(‘time\ “inum”);; 


Specification for a conflict-free bus. 


let Bus_CF_ 1 2_S PEC = new.definition 
(*Bus_CF_l 2_SPEC\ 

44 1 inEl inE2 inE 3 inE4 inE5 inE6 inE7 inR8 inE9 mElO inHll inEl 2 . 

Bus_CF_l 2_SPEC inEl inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inElO inEll inEl 2 = 
Ittime . 

(inEl 0 => — <(inE2 1) V (inE3 t) V (inE4 1) V (inE5 t) V (inE6 1) V (inE7 1) V (inE8 t) V 
(inE9t)V (inElO t) V (inEll t)V(inE12t)) I 
(inE2 1) => ~((inE3 t) V (inE4 t) V (inE5 t) V (inE6 1) V (inE7 t) V (inE8 1) V (inE9 t) V 
(inElO t) V (inEll t) V (inE12 1)) I 

(inE3 1) => -((inE4 t) V (inE5 t) V (inE6 1) V (inE7 1) V (inE8 1) V (inE9 1) V (inElO t) V 
(inEll t)V(inE12t))l 

(inE4 1) => -((inE5 t) V (inE6 t) V (inE7 1) V (inE8 1) V (inE9 t) V (inElO t) V (inEll t) V 
(inEl 2 t)) I 

(inE5 t) => ~((inE6 1) V (inE7 t) V (inE8 t) V (inE9 t) V (inElO t) V (inEll t) V (inE12 1)) I 

(inE6 1) => ~((inE7 t) V (inE8 t) V (inE9 1) V (inElO t) V (inEll t) V (inE12 1)) I 

(inE7 t) => -((inE8 1) V (inE9 t) V (inElO t) V (inEll t) V (inE12 1)) I 

(inE8 t) => ~((inE9 1) V (inElO t) V (inEll t) V (inE12 1)) I 

(inE9 1) => -((inElO t) V (inEll t) V (inE12 1)) I 

(inElO t)=> -((inEll t) V(inE12 1)) I 

(inEll t) => ~(inE12 1) I T‘ 

);; 


% 

Specification for a 12-input bus component. 

% 


let Bus_12_l_SPEC = new_definition 

(‘Bus_12_l_SPEC‘, 

“I (inDl:dme->*) inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inDIO inDll inD12 

inEl inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inElO inEll inE12 out . 

Bus_12_l_SPEC inDl inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inDIO inDll inD12 
inEl inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inElO inEll inE12 out = 

Ittime . 

(Bus_CF_12_SPEC inEl inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inElO inEll inEl 2) =: 
((inEl t ==> (out t = inDl t)) A 
(inE2 1 => (out t = inD2 1)) A 
(inE3 1 => (out t = inD3 t)) A 
(inE4 1 => (out t = inD4 1)) A 
(inE5 t => (out t = inD5 t)) A 
(inE6 t => (out t = inD6 t)) A 
(inE7 t => (out t = inD7 t)) A 
(inE8 t => (out t = inD8 t)) A 
(inE9 1 => (out t = inD9 t)) A 
(inElO t => (out t = inDIO t)) A 
(inEl 1 1 => (out t = inDl 1 1)) A 
(inEl 2 1 ==> (out t = inD12 1)))” 
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Specification for a single-input bus component where the input is sourced by an A-clocked latch. 


let Busl A_SPEC = new_definition 
(*BuslA_SPEC‘, 

44 1 (in_A:time->*) out_A out_B . 

Busl A_SPEC in_A out_A out_B = 

It: time . 

(out_A t = in_A t) A 
(out_B t = in_A t)” 

);; 

% — 

Specification for a single-input bus component where the input is sourced by a B-clocked latch. 


let BuslB_SPEC = new_definition 
(*BuslB_SPEC\ 

44 1 (in_B:time->*) out_A out_B . 
BuslB_SPEC m_B out_A out_B = 
It: time . 

(out_A t = in_B (t-1)) A 
(out_B t = in_B t)” 

);; 


close_theory();; 

File: aux_def.ml 

Author (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains auxiliary definitions needed for the gate-level specification of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 




system ‘rm aux_def.th‘;; 
new_theory *aux_def*;; 
loadf ‘abstract*;; 

new_type_abbrev(*time\ “mum”);; 
new_type_abbrev(* wordn 4 , *‘:(num->bool)”);; 
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let pfsm_ty_Axiom = 

define_type ‘ pfsm_ty_ Axiom 4 

4 pfsm_ty = PH I PA I PD I PJLL 4 ;; 

let pc_state_ty = “:(wordii#bool#woido#bool#pfsmJy#bool#bool#bool#bool#bool#wordD#bool#bool#bool#bool#bool)”;; 
let pc_env_ty = k ‘:(bool#bool#bool#wordD#bool#bool#wordn#bool#bool#wordo#bool#bool#bool)’’;; 
let pc_out_ty = ‘ 4 :(wordn#bool#wordn#wordo#wordn#bool#bool#bool#bool#bool#bool#bool#bool) > ’;; 

let cmfsm_ty_Axiom = 

define_type ‘cmfsm_ty_ Axiom 1 

‘cmfsm.ty = CMI I CMR I CMA3 I CMA1 I CMAO I CMA2 I CMD1 I CMDO 
ICMWICMABT 4 ;; 

let csfsm_ty_ Axiom = 

define_type 4 csfsm_ty_ Axiom 4 

‘csfsmjy = CSI I CSL I CSA1 I CSAO I CSAOW I CSALE I CSRR I CSD1 I CSDO I CSACK I CSABT 4 ;; 
let cef sm_ty_ Axiom = 

define_type 4 cefsm_ty_ Axiom* 

4 cefsm_ty = CEI I CEE 4 ;; 

let cc_state_ty = M :(cmfsm_ty#bool#bool#bool#bool#wordn#bool# 
csfsm_ty#bool#bool#bool#wordD# 
cefsm_ty#bool#bool#bool#bool#bool#bool# 
bool#wordD#bool#bool#bool#wordn#bool# 
bool#bool#bool#bool#bool#bool#bool# 

bool#bool#bool#wordD#woniD#wordn#wordn#word 0 #wordn)”;; 
let cc_env_ty = 14 : ( wordi#wordo#bool#bool#bool#bool#bool#bool#bool#bool#bool# 

wordn#wordD#wordu#wordii#bool#bool#bool#bool#wordD#wordii#bool#bool#wordn#bool )’ 1 ; ; 
let cc_out_ty = 44 :(bool#bool#booI#bool#bool#bool#bool#wordn#wordD# 
bool#wordn#wordn#wordD#wordo#bool#bool )” ;; 

let mfsm_ty_ Axiom = 

define_type 4 mfsm_ty_Axiom 4 

4 mfsm_ty = MI I MA I MW I MRR I MR I MBW I MJLL 4 ;; 

let mc_state_ty = M :(mf&m_ty#bool#bool#bool#bool#wordn#bool#bool#wordD#wordn#bool#bool#bool#wordD#wordn)”;; 
let mc_env_ty = “:(bool#bool#bool#bool#booi#wordi}#bool#bool#wordn#bool#wordn#bool#bool) M ;; 
letmc_out_ty = 44 :(wordn#bool#wordD#wordn#bool#bool#bool#bool#bool)”;; 

let rfsm_ty_Axiom = 

define_type 4 rfsm_ty_Axiom‘ 

‘rfsm_ty = RI I RA ! RD 4 ;; 

let rc_state_ty = 44 : (rfsm_ty#bool#bool#bool#bool#wordD#bool#wordn#bool#wordn#bool#wordD#bool#wordn#bool# 

wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordD#bool#wordD#bool#wordD#bool#wordn#bool# 
wordD#bool#wordn#bool#wordn#bool#bool#woxdn#wordn#bool#wordD#wordn#bool#wordo#bool#wordD# 
bool# boo l#bool#bool#bool#bool#bool#bool#bool#bool#WOTdii#wordn) > ’;; 
let rc_envjy = “:(bool#bool#wordD#bool#bool#wordD#bool#bool#bool#bool#bool#bool#bool#bool#bool# 
word D#wordn#wordD# boo l#bool#wordn)”; ; 
let rc_out_ty - “:(wordu#bool#bool#bool#bool#bool#wordD#wordn#bool#booiy’;; 

let sfsm_ty_ Axiom = 

define_type ‘sfsm_ty_Axiom* 

*sfsm_ty = S START I SRA I SPF I SCOI I SCOF i ST I SC II I 
SC1F I SS I SSTOP I SCS I SN I SO I SJLL 4 ;; 

let sc_state_ty = *‘:(sfsm_ty#bool#bool#bool#bool#bool#bool#woidD#wordD# 
bool#boo^#bool#bool#bool#bool#bool#bool#bool) ,, ;; 
let sc_env_ty = 44 ;(bool#bool#bool#bool#bool#wordD#bool#bool)’Vt 
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let sc_out_ty = ‘ 4 :(wo^dD#bool#bool#boo^#bool#bool#bool#boo^#bool#bool#bool) , 

let VDD = new_defmition 
(‘VDD 4 , 

“! t:time . VDD t = T* 

);; 

let GND - new_definition 
( 4 GND\ 

“I trtime . GND t = F* 

);; 

let abs_rep = new_abstract_representation [ 

(‘Andn 4 , “:(wordn#wordn->wordn)”); 

(‘Ora*, 44 :(wordn#wordn->wordn)”); 

( 4 Ham_Dec\ 44 :(wordn->wordn)”); 

( 4 Ham_Detl\ M :(wordn->wordn)”); 

( 4 Ham_Det2\ 44 :(wordn#bool->bool)”); 

( 4 Ham_Enc\ “:(wordn->wordn)”); 

(‘Par_Dec\ M :(wordn->wordn) M ); 

(‘Par_Det\ M :(wordn->bool)”); 

( 4 Par_Enc\ “:(wordn->wordn)”); 

(‘ P_tDterp \ 44 :( A pc_state__ty# A pc_en v_ty# A pc_out_ty->bool) M ) ; 

( 4 c_interp \ ‘ l :( A cc_state_ty# A cc_env_ty# A cc_out_ty->bool) M ); 

( 4 m_inteip 4 , 44 :( A mc_state_ty# A mc_env_ty# A mc_out_ty->bool)”); 

(*r_interp 4 , 44 :( A rc_state_ty# A rc_eov_ty# A rc_out_ty->bool) 44 ); 
( 4 sJnterp 4 / 4 :( A sc_state_ty# A sc_env_ty# A sc_out__ty->bcx)ir)];; 

make_inst_thms abs_rep;; 

letrep_ty = abstract_type ‘aux_def‘ ‘Andn 4 ;; 

close_theory();; 

% 

File: array_def.ini 

Author: (c) P. J. Windley 1992 

Description: 

Prove auxiliary theorems about functions so that functions 
can be easily used to represent arrays. 

Modification History: 

24FEB92 - Original file. Many of the theorems included were 

motivated by theorems defined on lists in 

list_aux.ini. 

26FEB92 — [DAF] Modified order of parameters in calls to 

ALTER, M ALTER, SUB ARRAY to match simulation 
language syntax. Added definition of ELEMENT. 
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% Removed 26FEB92. [DAF] 
loadf *libs_aux 4 ;; 

system ‘/bin/rm arrayjef.th*;; 
% 


system ‘rm array _def.th‘;; 
new_theory k array _def 4 ;; 


% Added 26FEB92 (from PJW). [DAF] % 
let SYM_RULE = 

(CONV.RULE (ONCE_DEPTH_CONV SYM.CONV)) 
? failwith ‘SYM_RULE 4 ;; 


% 

Auxiliary array definitions and theorems. 

We will use functions to represent arrays. The definition 
that follows defines a ALTER function that can be used to set 
the nth member of an array. The following lemmas are useful 
in reasoning about array operations. 


let ALTER_DEF = new_definition 
( 4 ALTER_DEF\ 

“ALTER (f:*->**) n x = (\m. (m = n) => x I (f m ))” 

);; 

let ALTER_THM = prove_thm 
( 4 ALTER_THM\ 

“ALTER (f:*->**) n x y = (y = n) => x I (f y)”, 
REWRITE.TAC [ALTER_DEF] 

THEN BETA.TAC 
THEN REFL.TAC 

);; 


% 

ALTER_EQUAL is simlar to the EL_SET_EL lemma for lists. 
% 


let ALTER_EQU AL = prove_thm 
( 4 ALTER_EQUAL\ 

“I x n (f:*->**) . (ALTER f n x) n = x’\ 
REPEAT GEN_TAC 
THEN REWRITE.TAC [ALTER.DEF] 
THEN BETA.TAC 
THEN REWRITE JTAC [] 

);; 
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% 

ALTER_NON_EQUAL is similar to NOT_EL_SET_EL for lists. 

I % 

let ALTER_NON_EQU AL = prove_thm 
‘ALTER_NON_EQUAL\ 

“! n m (f:*->**) x . 

~(n = m) => 

(f n = (ALTER fmx) n)’\ 

REPEAT GEN_TAC 

THEN REWRITE_TAC [ALTER_THM] 

THEN STRIP_TAC 

THEN ASM_REWRITE_TAC [] 


ALTER_COMMUTES is similar to SET_EL_SET_EL for lists. 

% 

let ALTER_COMMUTE = prove_thm 
( ' ALTER_COMM UTE ‘ , 

“I (dl:*)d2(f:*->**) (x:**)y . 

~(dl = d2) => 

((ALTER (ALTER f d2 x) dl y) = 

(ALTER (ALTER f dl y) d2 x))”, 

REPEAT GEN.TAC 

THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV) 
THEN REWRITE_TAC [ALTER_THM] 

THEN STRIP_TAC 
THEN GEN_TAC 

THEN REPEAT COND_CASES_TAC 
THEN ASM_REWRITE_TAC [] 

THEN UNDISCH_TAC “-((dl:*) = d2)” 

THEN ASSUM_LIST (\thl . REWRITE_TAC (map SYM_RULE thl)) 

);; 

% 


Until now, it hasn’t mattered what the type of the subscript is 
and so the previous lemmas were all general, even though 
someone using them to representa arrays, would probably be 
using numbers as subscripts. 


Now, we want to reason about subarrays given as a sequence from 
a starting value to an ending value. This presupposes that the 
subscripts can be totally ordered. To make life easy, we won’t 
be that general, but will use numbers as subscripts. 


-% 


let SUBARRAY_DEF = new_definition 
(‘SUBARRAY_DEF‘, 

“1 n m (f:num->*) . 

SUB ARRAY f (m,n) = \x. ((x+n) <= m) => f(x+n) I ARB” 

);; 
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let SUBARRAY_THM = prove.thm 
(‘SUBARRAY_THM', 

“I n m (f:num->*) . 

SUBARRAY f (m,n) x = ((x+n) <= m) => f(x+n) I ARB", 
REPEAT GEN_TAC 

THEN REWRITE_TAC [SUBARRAY.DEF] 

THEN BETA.TAC 
THEN REFL.TAC 

);; 

let ELEMENT_DEF = new_definition 
(‘ELEMENT_DEF‘, 

“! m(f:num->*) . 

ELEMENT f(m) = fm" 

);; 

% 

M ALTER alters multiple values in an array. 


let MALTER_DEF = new_definition 
(’MALTER_DEF‘, 

“1 n m f (g:num->*) . 

M ALTER f (m.n) g = 

\x. (n <= x A x <= m) => g (x-n) I f x” 

);; 

let MALTER_THM = prove_thm 
('MALTER_THM‘ , 

“! n m (x:num) g (f:num->*) . 

M ALTER f (m,n) g x = (n <= x A x <= m) => g (x-n) I f x”, 
REPEAT GEN.TAC 

THEN REWRTTE_TAC [MALTER_DEF) 

THEN BETA_TAC 
THEN REFL.TAC 

);; 


let MALTER_SUBARRAY_IDENT = prove_thm 
( ‘ MALTER_S UB ARRAY_IDENT ‘ , 

“In m (f:num->*) . M ALTER f (m,n) (SUBARRAY f (m,n)) = f", 
REPEAT GEN_TAC 

THEN CONV.TAC (ONCE_DEPTH_CONV FUN_EQ_CONV) 
THEN REWRITE.TAC [MALTER_THM;SUBARRAY_THM] 
THEN GEN.TAC 

THEN REPEAT COND_CASES_TAC 
THEN ASM_REWRITE_TAC [] 

THEN ASSUM_L1ST (\thl . MAP_EVERY ASSUME.TAC 
(flat (map CONJUNCTS (filter (is_conj o concl) thl)))) 

THEN IMP_RES_TAC SUB_ADD 

THEN TRY (UNDISCH_TAC “-((n’ - n) + n) <= m”) 

THEN ASM_REWRITE_TAC 0 

);; 
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let MALTER_SUB ARRAY_SUB SCRIPTS = prove.thm 
(*MALTER_SUB ARRAY.SUB SCRIPT , 

“Inmx (f:num->*) g . 

M ALTER f (m,n) (SUBARRAY g (m,n)) x = 

(n <= x A x <= m) => g x I f x’\ 

REPEAT GEN_TAC 

THEN CONVJTAC (ONCE_DEPTH_CONV FUN_EQ_CONV) 
THEN REWRTTE_TAC [M ALTER_THM;S UB ARR AY_THM ] 
THEN REPEAT COND_CASES_TAC 
THEN ASM_REWRITE_TAC [] 

THEN ASSUM_LIST (\thl . MAP.EVERY ASSUME.TAC 
(flat (map CONJUNCTS (filter (is_conj o concl) thl)))) 

THEN IMP_RES_TAC SUB_ADD 

THEN TRY (UNDISCH.TAC “~((x - n) + n) <= m”) 

THEN ASM_REWRITE_TAC [] 

>;; 

close_theory();; 


File: wordn_def.ml 
Description: 

Defines a theory of words which contains a definition for 
converting between functions from numbers to boo leans and 
natural numbers and proves various useful theorems about 
this definition. This file is based on a theory that was 
orginally authored by Graham Birtwhistle of the University 
of Calgary in 1988. 

Authors: (c) Graham Birtwhistle, Phillip Windley, 1988, 1992 
Modification History: 

28FEB92 - [PJW] Original file from words ml 

10MAR92 ~ [PJW] Added definition of WORDN. 

13MAR92 - [DAF] Added definitions of bv, SETN, RSTN, GNDN, 
NOTN, INCN, DECN, ARBN. 

% 


% Removed 13MAR92. [DAF] 

let add_root s = 7users/staff/windley/hol/Library/‘ A s;; 

set_search_j>ath(search_path() ® 

(map add_root 
[‘bits/*; 

‘numbers/*; 

‘array/ 4 ]));; 
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% 


system 7bin/nn wordn_defth*;; 
new_tbeory 4 wordn_deP;; 

% Replaced 13MAR92. [DA F] 

map load^parent [ ‘bits*; ‘num_thms‘ ; ‘exp 4 ; ‘array_def );; 
% 

map new_parent [ 4 aux_def ; 4 array_der];; 

new_type_abbre v ( 4 wordn 4 num->boor’) ;; 

% 

Definitions 

% 


let bv = new_definition 

(*bv 4 , 

**! (b:bool) . 

bv b = (b) => 1 1 0” 

);; 

let VAL = new_prim_rec_defimtion 
(‘VAL\ 

**(VAL 0 (f: wordn) = bv (f 0)) 

A 

(VAL (SUC n) f = ((2 EXP (SUC n)) * (bv (f (SUC n)))) + VAL n 0” 

);; 

let pos_val = new_definition 
Cpos_val\ 

“I (x:wordn) (y:num) . 

pos_val x y = (bv(x y)) * (2 EXP y)” 

);; 

let ONES = new_prim_rec_definition 
(‘ONES 4 , 

“(ONES 0 a = (a 0)) 

A 

(ONES (SUC n) a = (a(SUC n)) A (ONES n a)) 

let ZEROS = Dew_pnm_rec_definition 
(‘ZEROS 4 , 

“(ZEROS 0 a = -(a 0)) 

A 

(ZEROS (SUC n) a = ~(a(SU C n)) A (ZEROS n a)) 

% Modified 13MAR92. [DAF] 
let WORDN = new_defimtioD 
(‘WORDN 4 , 

“I (x:num) . WORDN x = \n. (x DTV (2 EXP o» MOD 2” 
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);; 

% 

let WORDN = new_definition 
(‘WORDN \ 

“I (x:num) . WORDN x = \n. ((x DIV (2 EXP n)) MOD 2=1)” 

);; 

let SETN = new_definition 
( 4 SETN\ 

(x:num) . SETN x = \(n:num). (n <= x) —> T I ARB' 

);; 

% Equivalent to “WORDN 0” but perhaps more convenient % 
let RSTN = new_de6nition 
( 4 RSTN\ 

“I (x:num) . RSTN x = \(n:num). (n <= x) => F I ARB” 

);; 

let GNDN = new_definition 
( 4 GNDN\ 

“! (x:num) (t:time) . GNDN x t * \(n:num). (n <= x) => F l ARB” 

);; 

let NOTN = new_definition 
(‘NOTN 4 , 

“! (x:num) (f:wordn) . NOTN x f = \(n:num) . (n <= x) => ~(f n) I ARB 

);; 

let INCN = new_definition 
( 4 INCN\ 

“Inf. 

INCN n f = (ONES n f) => RSTN n I WORDN ((VAL n f) + 1)” 

);; 

let DECN = new_definition 
(‘DECN 4 , 

“! n f . 

DECN n f = (ZEROS n f) => SETN n I WORDN ((VAL n f ) - 1)” 

);; 

let ARBN = new_definition 
( 4 ARBN\ 

“(ARBN:num->bool) = \n. ARB” 

);; 

% 

Theorems 

% Removed theorems for now 13MAR92. [DAF] 
close_theory();; 
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Appendix B ML Source for the Gate-Level Specification of the PIU Ports. 

This appendix contains the HOL models for the gate-level specification for the PIU ports. The ports are 
listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_ConL 

B.l P Port Specification 

File: p_blockjnl 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the gate-level specification of the PIU P-Port, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

set_search_path (search_path() @ [ ‘/home/titan3/dfura/ftep/piu/bol/lib/‘] );; 
system ‘rm p_block.th‘ ;; 
new_theory ‘p_block‘;; 

map new^parent [ i gates_def‘; ‘latches_def‘ ;‘ffs_def ; t counters_def ; ‘ aux_def ; 4 array_def 4 ; k paux_def ];; 

let p_state_ty = 4 ‘:(pfsm_ty#bool#bool#bool#wordD#wordn#bool#wordn#bool#wordn#num#bool#bool# 

pfsm_ty#bool#bool#bool#bool#boo^#bool#bool#bool#num#bool#bool#bool#bool#bool#bool) ,, ;; 
let p_state = 44 ((P_fsm_stateA > P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_destl, P_be_, 

P_wr, P_be_n_, P_sizeA, PJoadA, P_downA, PJsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, 

P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, 

P_lock_mh_, P_male_, P_rale_) 

: A p_state_ty)”;; 

let p_env_ty = 44 :(bool#bool#bool#wordD#bool#bool#wordn#bool#bool#wordii#bool#bool#bool) M ;; 
letp.env = M ((CikA, ClkB, Rst, L_ad_m, L_ads_, L_den_, L_be_, L_wr, L_lock_» I_ad_in, Lcgnt_, Lhold_, I_srdy_) 
^.env.ty)”;; 

let p_out_ty = 44 :(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool)”;; 

let p_out = “((L_ad_out, L_ready_, I_ad_data_out, I_ad_addi_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, 

I_mrdy_, I_last_, I_hlda__, I_lock_) 

: A p_out_ty)”;; 

% 

P-Port data latches. 

let Data_Latches_SPEC = new_defimtion 
( 4 Data_Latches_SPEC‘ , 

44 1 clkA clkB (lad_in:time->(num->bool)) (lbe_in:time->(num->bool)) (lwr_in:time->bool) en_in be_sel 
wr_data addr destl be wr be_n 
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data_out addr_out be_out . 

Data_Latches_S PEC clkA clkB lad_in lbejn lwr_in en_in be_sel 
wr_data addr destl be wr be_n 
data__out addr_out be_out = 

lttime . 

((clkA t) => 

((wr_data (t-*- 1 ) = lad_in t) A 
(addr (t+1 ) = (enjn t) => (ladjn t) I (addr t)) A 
(destl (t+1) = (en_in t) => (ELEMENT (ladjn t) (31)) I (destl t)) A 
(be (t+1 ) = (en_in t) => (lbe_in t) I (be t)) A 
(wr (t+1) = (enjn t) => (lwrjn t) I (wr t)) A 
(be_n (t+1) = lbejn t))) A 
((clkB t) => 

((wr_data (t+1) = wr_data t) A 
(addr (t+1) = addr t) A 
(destl (t+1) = destl t) A 
(be (t+1 ) = bet) A 
(wr (t+1) = wr t) A 
(be_n (t+1) = be_n t))) A 
((data-out t = wr_data (t+1 )) A 

(let odl = MALTER (addr_out t) (31,27) (be (t+1)) in 
(let od2 = ALTER odl (26) F in 

(let od3 = MALTER od2 (25,24) (SUB ARRAY (addr (t+1)) (1,0)) in 
(let od4 = MALTER od3 (23,0) (SUBARRAY (addr (t+1)) (25,2)) in 
(addr_out t = od4))))) A 

(be_out t = (be_sel t) => (be (t+1)) I (be_n (t+l))))“ 


% 

Input logic for P_rqt latch. 


let Req_Inputs_SPEC = new_definition 
(‘ Req_Inputs_SPEC * , 

“! l_ads_ l_den_ (reset_rqttime->bool) rqt_inS rqt_inR rqt_inE . 

Req Jnputs_SPEC l_ads_ l_den_ reset_rqt rqt_inS rqtJnR rqt_inE = 
lttime . 

(rqt JnS t = ~(Lads_ t) A (l_den_ t)) A 

(rqt_inR t = reset_rqt t) A 

(rqt JnE t = (rqLinS t) V (rqLinR t))” 


% 

Input logic for P_size counter. 

% 


let Ctr_Logic_SPEC = new_definition 
( 4 Ctr_Logic_SPEC * , 

u ! clkA clkB l_adjn loadjn down_in zero_cnt 

p_size p_sizeA p_load pJoadA p_down p_downA . 

Ctr_Logic_S PEC clkA clkB l_ad_in load_in downjn zero_cnt 

p_size p_sizeA pjoad pJoadA p_down p_downA - 

lttime . 
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((clkA t) => 

((p_sizcA (t+1) = p_sizc t) A 
(pJoadA (t+1) = pjoad t) A 
(p_downA (t+1) = p_down t) A 
(p_size (t+1) = p_size t) A 
(pjoad (t+1) = pjoad t) A 
(p_down (t+1) = p_down t))) A 
((clkB t) => 

((p_sizeA (t+1) = p_sizcA t) A 
(pjoad A (t+1) = pJoadA t) A 
(p_downA (t+1 ) = p_downA t) A 

(p_size (t+1) = (pJoadA t) => SUB ARRAY (l_ad_in t) (1,0) I 
(p_downA t) => DECN 2 (p_sizeA t) I 
p_sizeA t) A 
(pjoad (t+1) = load_in t) A 
(p_down (t+1) = down_m t))) A 

(zero_cnt t = (p_downA t) => (DECN 2 (p_sizeA (t+1)) = (WORDN 0)) I (p_sizeA (t+1) = (WORDN 0)))” 


% 

Accumulated random logic. 


Let Scat_Logic_SPEC = new_definition 
(‘Scat_Logic_SPEC 

‘*1 rst fsm_astate fsm_dstate fsm_hlda_ p_addr p_wr p _rqt zero_cnt Lsrdy_ 
i_ad_data_out_eo l_ad_out_en_ i_rale_ i_male_ i_crqt_ 
fsm_mrqt fsm_rst fsm_sack reset _jqt l_ready . 

Scat_Logic_SPEC rst fsm_astafce fsm_dstate f&m_hlda_ p_addr p_wr p_jqt zero_cnt i_srdy. 
i_ad_d ata_o u t_en l_ad_out_en_ i_rale_ i_male_ Lcrqt_ 
fsm_mrqt fsm_rst fsm_sack reset_rqt l_ready = 

ft: time. 

(i_ad_data_out_en t = (p_wr t) A (fsm_dstate t)) A 

(l_ad_out_en_ t = (p_wr t) A (fsm_dstate t) V ~(fsm Jilda_ t) V (fsm_astate t)) A 
(i_rale_ t = -(-(ELEMENT (p_addr t) (31)) A 

(VAL 26 (SUBARRAY (p.addx t) (25,24)) = 3) A 
(fsm_astate t) A 
(P_rqt t))) A 

(i_male_ t = -(-(ELEMENT (p_addr t) (31)) A 

-(VAL 26 (SUB ARRAY (p.addr t) (25,24)) = 3) A 
(fsm_astate t) A 
(p_rqt t))) A 

(i_crqt_ t = -((ELEMENT (p_addr t) (31)) A (pj-qt t))) A 
(fsm_mrqt t = -(ELEMENT (p_addr t) (3 1 )) A (p_yqt t)) A 
(fsm_rst t = rst t) A 

(fsm_sack t = (zero_cnt t) A ~{i_srdy_ t) A (fsm_dstate t)) A 
(reset_rqt t = (rst t) V (fsm_sack t)) A 
(l_ready t = -(i_srdy_ t) A (fsm_dstate t))” 


% 

Input logic for P Jock_ latch. 
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let Lock_Inputs_SPEC = new_definition 
(‘Lock.Inputs_SPEC\ 

“! rst fsm.dstate p.male. p_rale_ lock.inE lock.inh.mE . 

Lock.Inputs.S PEC rst fsm_dstate p_male_ p_rale_ iock_mE lock.inh.inE = 
It: time . 

(lock_inE t = (rst t) V (fsm_dstate t)) A 
(lock.inh.inE t = (rst t) V ~ (p.male. t) V ~(p_rale_ t))” 


% 

P-Port controller state machine. 


let FSM.SPEC = new.definition 

(‘FSM.SPE C\ 

“I clkA clkB rst_in mrqt.rn sack.in cgnt_in_ crqt.in. hold.in. lock_in_ 
state rst mrqt sack cgnt_ crqt_ hold_ lock_ 
stateA astate dstate hlda_ 
astate_out dstate_out hlda.out. . 

FSM_SPEC clkA clkB rst. in mrqt_in sack_in cgDt_in_ crqt.in. hold_in_ lock_in_ 
state rst mrqt sack cgnt_ crqt_ hold_ lock_ 
stateA astate dstate hlda_ 
astate_out dstate_out hlda_out_ = 

It time . 

((clkA t) ==> 

((state (t+1) = state t) A 
(rst (t+1) = rst t) A 
(mrqt (t+1) = mrqt t) A 
(sack (t+1) = sack t) A 
(cgnt. (t+1) = cgnt. t) A 
(crqt. (t+1) « crqt_ t) A 
(hold_(t+l) = hold_ t) A 
(lock_ (t+1 ) = lock_ t) A 
(stateA (t+1) = 

((rst t) => PA ! 

(state t = PH) => ((hold, t) => PA I PH) I 
(state t = PA) => (((mrqt t) V ~(cgnt_ t) A -(crqt. t)) => PD I 
(((lock, t) A -(hold, t)) => PH I PA)) I 
(((sack t) A (hold, t)) => PA I 
((sack t) A -(hold, t) A -(lock, t)) => PA I 
((sack t) A -(bold, t) A (lock, t)) => PH I PD))) A 
(astate (t+1 ) = (stateA (t+1) = PA)) A 
(dstate (t+1) = (stateA (t+1) = PD)) A 
(hlda. (t+1 ) = -(stateA (t+1) = PA)))) A 
((clkB t) => 

((state (t+1) = stateA t) A 
(rst (t+1) = rst.in t) A 
(mrqt (t+1) = mrqt.in t) A 
(sack (t+1) = sack. in t) A 
(cgnt. (t+1) = cgnt.in. t) A 
(crqt. (t+1) = crqt.in. t) A 
(hold, (t+1) = hold.in. t) A 
(lock, (t+1 ) = lock.in. t) A 
(stateA (t+1) = stateA t) A 
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(astate (t+1 ) = astate t) A 
(dstate (t+ 1 ) = dstate t) A 
(hlda. (t+1) = hlda_ t))) A 
((astate.out t » astate (t+1)) A 
(dstate.out t = dstate (t+1)) A 
(hlda.out. t = hlda. (t+1)))’* 


% 

P-Poit Block. 


-% 


let P.Block.SPEC = oew.defimtion 
( ‘ P_Block_SPEC 4 , 

“l (P_fsm_stateA P_fsm_state :time->pfsm_ty) 

(P_wr_data P.addr P.be. P_be_n_ P_sizeA P.size :time->wordn) 

(P.fsm.astate PJsm.dstate PJsm.hlda. P.destl P_wr P JoadA P.downA PJsm.rst P Jsm.mrqt 
P.fsm.sack P_fsm_cgnt_ PJsm.crqL P_fsm_hold_ P_fsm_lock_ P.rqt PJoad P.down PJock. 

P_lock_inh_ P_male_ P_rale_ :dme->bool) 

(L.ad.in L_be_ I.ad.Ln :dme->wordn) 

(ClkA ClkB Rst L_ads_ L.den. L.wr LJock_ I_cgnt_ I_hold_ I.srdy. :dme->bool) 

(L.ad.out I_ad_data_out I_ad_addr_out I_be_ :time->wordn) 

(L.ready. I_rale_ I_male_ I.crqt. I_cale_ I_mrdy_ IJast. I.hlda. I.lock. :time->bool) . 

P_Block_SPEC (PJsm.stateA, P.fsm.astate, PJsm.dstate, PJsm.hlda., P.wr.data, P.addr, P.destl, P.be_, 

p_wr, P_be_n_, P.sizeA, P JoadA, P_downA, P.fsm.state, PJsm.rst, P Jsm.mrqt, P.fsm.sack, 
P.fsm.cgnt., PJsm.crqt., P.fsm.hold., P.fsm.lock., P.rqt, P.size, PJoad, P.down, PJock_, 
P.lock.inh., P_male_, P_rale J 

(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L.be., L_wr, LJock_, I.ad.in, I.cgnt., I_hold_, I.srdy.) 
(L_ad_out, L.ready., I.ad.data.out, I.ad.addr.out, I.be., I.rale., I.male., I.crqt., I.cale., 

I_mrdy., I.last., I_hlda_, IJockJ = 

? fsm. astate fsm.dstate rqt data_out addr_out be.out data.out.en reset.rqt 
rqt.inS rqtJnR rqt_inE rqt_outQ load.in down.in zero_cnt zero.cnt. 
l_ad_out_en_ rale_ male_ fsm_mrqt fsm.rst fsm.sack l_ready i.cgnt 
lock .inE lock_outQ lockjnh .inE lock_inh_outQ p_male_outQ p.rale.outQ lock_outQ_ . 

(Data.Latches.SPEC ClkA ClkB L.ad.in L.be. L_wr rqt fsm.astate 
P.wr.data P_addr P.destl P_be_ P_wr P.be.n. 
data.out addr.out be.out) A 

(TRIBUF.SPEC data-out data.out.en I.ad.data.out) A 
(TRIBUF.SPEC addr_out fsm.astate I.ad.addr.out) A 
(TRIBUF.SPEC be.out I.hlda. I_beJ A 

(Req.Inputs.SPEC L_ads_ L_den_ reset.rqt rqt.inS rqt_inR rqt_inE) A 
(DSRELAT.SPEC GND rqtJnS rqt_inR rqt JnE ClkB P_rqt rqt.outQ) A 
(NOT_SPEC rqt.outQ reset_rqt) A 

(Ctr.Logic.SPEC ClkA ClkB L.ad.in load.in down.in zero.cnt 

Psize P.sizeA PJoad PJoad A P.down P_downA) A 
(Scat_Logic_SPEC Rst fsm.astate fsm.dstate I.hlda. P.addr P.wr P_rqt zero.cnt I_srdy_ 
data.out.en l_ad.out.en_ rale. male_ I_crqt_ 
fsm_mrqt fsm.rst fsm_sack reset_rqt l_ready) A 
(TRIBUF.SPEC rale_ I.hlda. I.rale J A 
(TRIBUF.SPEC male. Lbkla. I.male.) A 
(TRIBUF.SPEC GND I.blda. I.mrdyJ A 
(NOT J5 PEC zero.cnt zero.cnt.) A 
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(TRIBUF_SPEC zero_cnt_ I_hlda_ I_last_) A 
(NOT_SPEC l_ready L.readyJ A 

(DSELAT.SPEC L_lock_ Rst lock_inE ClkB P Jock_ lock_outQ) A 

(DSELAT_SPEC L_lock_ Rst lock Jnh JnE ClkB P_lock_inh_ lock_inh_outQ) A 

(Lock_Inputs_SPEC Rst fsm_dstate p_male_outQ p_rale_outQ lockjnE lock_inh_inE) A 

(DELAT_SPEC male_ fsm_astate ClkB P_male_ p_male_outQ) A 

(DELAT_SPEC rale_ fsm.astate ClkB P_rale_ p_rale_outQ) A 

(NOT_SPEC lock_outQ lock_outQ_) A 

(NAND2_SPEC lock_outQ_ lock_inh_outQ IJockJ A 

(NOT_SPEC I_cgnt_ i_cgnt) A 

(NAND3_SPEC i_cgnt fsm_astate I_hold_ I_cale_) A 

(BUF.SPEC I_ad_in L_ad_out) A 

(FSM_SPEC ClkA ClkB fsm_rst fsm_mrqt fsm_sack I_cgnt_ I_crqt_ I_hold_ lock_outQ 
p_fsm_state P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ 
P_fsm_hold_ 

P_fsm_lock_ P_fsm_stateA P_fsm_astate P_fsm_dstate P_fsm_hlda_ 
fsm_astate fsm_dstate I_hlda_)” 

);; 

close_theory();; 
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B.2 M Port Specification 




File: 

m_bk>ck.nil 

Author. 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the gate-level specification of the P-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

% 


set_search_path (search_patb( ) @ [ 4 /home/titan3/dfura/ftep/piu/hol/lib/ 4 )); ; 
system 4 rmm_block.th 4 ;; 

□ew_theory ‘m_block‘;; 
loadf "abstract 1 ;; 

map new_parent [ * gates j def 1 ; ‘ 1 atches_def l ; 4 ff s_def ; ‘counters.def 1 ; * mau x_def 1 ; 4 aux.def 4 ; 4 array_def 4 ; 4 wordn_def 4 ] ; ; 

let m_state_ty = M :(mfsm_ty#bool#bool#bool#bool#bool#wordn#wordn#wordn#bool#wordn# 
mfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool# 
booI#bool#wordn#wordD#wordn#bool#bool#bool#wordn#wordn)”;; 
let m_state = “((M_fsm_stateA, M_fsm_address, M_fsm_read, M.fsm.write, M_fsm_by te.wri te , M_fsm_mem_enable, 
M.addr A, M_beA, M.countA, M_rdyA, M_rd.dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, 
M_fsm_bw, M.fsm.ww, M_fsm_last__, M_fsm_mrdy_, M_fsm_zero_cnt, M.fsm.rst, M_se, M_wr, 
M_addr, M_be, M.count, M_rdy, M_wwdel, M_parity, M.rd.data, M_detect) 

: A m_state_ty)”;; 

let m.env.ty = u :(bool#bool#bool#bool#bool#wcrrdD#bool#bool#wordn#bool#wordD#bool#bool)”;; 
let m.env = 44 ((ClkA, ClkB, Rst, Disable.eeprom, Disable. writes, I_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_data_in, Edac.en., Reset_parity) 

: A m_env_ty)”;; 

let m_out_ty = 44 :(wordo#bool#wordn#wordn#bool#bool#bool#bool#bool)”;; 

let m.out = 4 ‘((I_ad_out, I_srdy_, MB.addr, MB.data.out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, 
MB^parity) 

: A m_out_ty)”;; 

let rcp.ty = abstract.type aux.def ‘Andn 4 ;; 

SRAM/EEPROM selection logic. 


let SE_Logic_SPEC = new.definitioa 
( 4 SE_Logic_SPEC\ 

44 1 clkA clkB (Lad:time->wordn) male mem.enable M.se cs_e_ cs_s_ . 
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SE_Logic_SPEC clkA clkB i_ad male mem_enable M_se cs_e_ cs_s_ = 

It time . 

((clkA t) => ((M_se (t+1) = M_se t))) A 

((clkB t) => ((M_se (t+1) = (male t) => ELEMENT (i_ad t) (23) I M_se t))) A 
((cs_e_ t = ~((mem_enable t) A ~(M_se (t+1)))) A 
(cs_s_ t = -((mem_enable t) A (M_se (t+1)))))” 


% 

Read/write selection logic. 


-% 


let WR_Logic_SPEC ■ new_definition 
('WR_Logic_SPEC\ 

“| clkA clkB i_ad male mem_enable M_wr wr rd_mem wr_mem . 

WR_Logic_SPEC clkA clkB Lad male mem_enable M_wr wr rd_mem wr_mem = 

Itdme . 

((clkA t) => ((M_wr (t+1) = M_wr t))) A 

((clkB t) — > ((M_wr (t+1) = (male t) => ELEMENT (i_ad t) (27) I M_wr t))) A 
((wr t = M_wr (t+1)) A 

(rd_mem t = (mem_enable t) A ~(M_wr (t+1 ))) A 
(wr_mem t = (mem_enable t) A (M_wr (t+1))))’ 1 

);; 

Address counter logic. 

% 


let Addr_Ctr_SPEC = new_definidon 
(‘ Addr_Ctr_SPEC \ 

clkA c lkB (i_ad:time->wordn) male rdyA M_addr M_addrA addr_out . 
Addr_Ctr_SPEC clkA clkB i_ad male rdyA M_addr M_addrA addr_out = 

It time . 

((clkA t) => 

((M_addr (t+1) = M_addr t) A 
(M_addrA (t+1) = M.addr t))) A 
((clkB t) => 

((M_addr (t+1) = (male t) => (SUBARRAY (i_ad t) (18,0)) I 

(rdyA t) => (INCN 18 (M_addrA t)) I (M_addrA t)) A 
(M.addrA (t+1) = M_addrA t))) A 

(addr.out t = (rdyA t) => (INCN 18 (M.addrA (t+1))) I M_addrA (t+1))” 


% 

Byte enable logic. 


■% 


let BE_Logic_SPEC = new_definition 
(‘ BE_Logic_SPEC 4 , 


u | clkA c lkB (Lbe:time->wordn) male srdy wr_mem M_be M_beA be_out ww bw . 
BE_Logic_SPEC clkA clkB i_be male srdy wr__mem M J>e M_beA be_out ww bw = 
Ittime . 

((clkA t) => 

((M_be (t+1) = M_be t) A 
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(M_beA (t+1) = M_be t)))A 
((clkB t) => 

((M _be (t+1 ) = ((male t) V (srdy t)) => (i_be t) f (M_be t)) A 
(MJ>eA (t+1) = M_beA t))) A 
((be_out t = M_beA (t+1)) A 
(ww t = (wr_mem t) A (VAL 3 (M_be (t+1)) = 15)) A 
(bw t = (wr_mem t) A -(VAL 3 (M_be (t+1)) = 15)))” 

);; 

Input logic for M_rdy latch. 

% 


let Rdy_Logic_SPEC = new_detmition 
( ‘ Rdy_Logic_S PEC 4 , 

“I write read zero_cnt wr_mem rdy . 

Rdy_Logic_SPEC write read zero_cnt wr_mem rdy = 

It: time . 

(rdy t = (write t) A (zero_cnt t) V (read t) A (zero_cnt t) A ~(wr_mem t))” 

);; 


Wait state counter logic. 


let Ctr_Logic_SPEC = new_defimtion 
(*Ctr_Logic_SPEC ‘ , 

“1 clkA clkB in dn Id M_count M_countA zero_cnt . 

Ctr_Logic_SPEC clkA clkB in dn Id M_count M_countA zero_cnt = 

It: tune . 

((clkA t) => 

((M_count (t+1 ) = M_count t) A 
(M__countA (t+1 ) = M_count t))) A 
((clkB t) => 

((M_count (t+1) = (Id t) => ((in t) => (WORDN 1) I (WORDN 2)) I 

(dn t) => (DECN 1 (M_countA t)) I (M.countA t)) A 
(M_countA (t+1 ) = M_countA t))) A 

(zero_cnt t = (M.countA (t+1 ) = ((dn t) => (WORDN 1) I (WORDN 0))))” 

);; 


% 

Memory control signal logic. 

-% 


let Enable_Logic_SPEC = oew_defimtion 
( 4 EnabIe_Logic_SPEC \ 

“1 cs_eeprom_ rd_mem address read write byte_ write wwdel 
disable_eeprom disable_writes oe_ edac_le we_ mb_wr_en_ . 

Enable_Logic_S PEC cs_ecprom_ rd_mem address read write byte_ write wwdel 

disable_eeprom disable_writes oe_ edac_le we„ mb_wr_en_ = 

It: time . 

(oe_ t = ~((rd_mem t) A (address t) V (read t))) A 
(we_ t = ~(cs_eeprom_ t) A (disable_eeprom t) V 
(disable_writes t) V 
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-((write t) V (byte_write t) V (wwdel t))) A 
(edacje t = read t) A 
(mb_wr_en_ t = -(write t))” 


% 

Generation logic for I_srdy_. 


■% 


let SrdyJLogic_SPEC = new__definition 
(‘ Srdy_Logic_SPEC ‘ , 

M l wr rdy rdy_outQ srdy_ . 

Srdy_Logic_SPEC wr rdy rdy_outQ srdy_ = 

Ittime . 

srdy_ t = -((rdy_outQ t) A -(wr t) V (rdy t) A (wr t))” 

);; 


% 

Memory decode logic. 


■% 


let ED AC_Decode_Logic_S PEC = new__definition 
( ‘ ED AC_Decode_Logic_SPEC 4 , 

M ! (repi^epjy) (mb_dataJn:time->wordn) edac_en data-out detect_out . 
EDAC_Decode_Logic_SPEC rep mb_data_in edac_en data__out detect_out = 

Ittime . 

(data_out t = (edac_en t) => (Ham_Dec rep (mb_data_m t)) I (mb_data_in t)) A 
( detec t_out t = (edac_en t) => (Ham_Detl rep (mb_data_in t)) I (WORDN 0)) 

);; 

% 

Memory read latches. 

% 


let Read J,atches_SPEC = new_definition 
(‘ Read J^atches_S PEC \ 

w ! (rep^epjy) clkA clkB (data_mD:time->wordn) edac_en edacje detect_inD detect_inE 
M_rd_data M_rd_dataA M_detect m_data_outQ m_detect_outQ . 

Read_Latches_S PEC rep clkA clkB dataJnD edac.en edacje detect JnD detect JnE 

M_rd_data M_rd_dataA M_detect m_data_outQ m_detect_outQ = 

It* time . 

((clkA t) => 

((M_rd_data (t+1) = M_rd_data t) A 
(M_rd_dataA (t+1) = M_rd_data t) A 

(M_detect (t+1) = (detect JnE t) => (detect JnD t) I (M_detect t)))) A 
((clkB t) => 

((M_rd_data (t+1) = (edacje t) => (dataJnD t) I (M_rd_data t)) A 
(M_rd_dataA (t+1) = M_rd_data t) A 
(M_detect (t+1) = M_detect t))) A 
((m_data_outQ t = M_rd_dataA (t+1)) A 

(m_detect_outQ t = Ham_Det2 rep ((M_detect (t+1)), (edac_en t))))” 
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Enable input logic for ED AC correction reporting. 


■% 


let Detect_Enable_Logic_SPEC = new_definition 
( * Detect_Enable_Log ic_S PEC ‘ , 

44 ! edac_en edac _jd detectJnE . 

Detect_Enable_Logic_SPEC edac_en edac_rd detect_inE = 
ittime . 

(detect_inE t = (edac_en t) A (edac_rd t) V ~(edac_rd t))” 

);; 

Memory write data multiplexer. 


let Mux_Out_Logic_SPEC = new_defimtion 
(*Mux_Out_Logic_SPEC‘, 

44 1 (m_data_oulQ:time->wordn) i_ad be mb_data_out . 

M ux_Out_Logic_SPEC m_data_outQ i_ad be mb_data_out = 
Ittime . 


let odl = 

(MALTER (mb_data_out t) (7,0) ((ELEMENT (be t) (0)) => (SUBARRAY (i_ad t) (7,0)) 

I (SUBARRAY (m_data_outQ t) (7,0)))) 
in 

(let od2 = 

(MALTER odl (15,8) ((ELEMENT (be t) (1)) => (SUBARRAY (i_ad t) (15,8)) 

i (SUBARRAY (m_data_outQ t) (15,8)))) 
in 

(let od3 = 

(MALTER od2 (23,16) ((ELEMENT (be t) (2)) => (SUBARRAY (i_ad t) (23,16)) 

I (SUBARRAY (m_data_outQ t) (23,16)))) 
in 

(let od4 = 

(MALTER od3 (31,24) ((ELEMENT (be t) (3)) => (SUBARRAY (Lad t) (31,24)) 

I (SUB ARRAY (m_data_outQ t) (31,24)))) 

in (mb_data_out t = od4 ))))’’ 


% 

Data encoding logic. 


% 


let Enc_Out_Logic_SPEC = new_definition 
( 4 Enc_Out_Logic_SPEC 4 , 

44 1 (repr'hrep^ty) (mb_data_outtime->wordn)mb_edata_out . 
Enc_Out_Logic_SPEC rep mb_data_out mb_edata_out = 
ittime . 

(mb_edata_out t = Ham_Enc rep (mb_data_out t))" 

);; 

Input logic for M_parity latch. 


% 
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let Memparity.In_Logic.SPEC = new.defimtion 
(‘Memparity.In.Logic.SPEC ‘ , 

**! srdy mem.enable detect_outQ rst reset_parity mem pari ty.inS memparity_inR memparity.inE . 
Memparity.In.Logic.SPEC srdy mem.enable detec t_outQ rst reset_parity 

memparity_mS mempanty.inR mempanty_inE = 

It: time . 

(memparity_inS t = (srdy t) A (mem_enable t) A (detect.outQ t)) A 
(memparity_inR t = (rst t) V (reset_panty t)) A 
(memparity_inE t = (memparity.inS t) V (memparity.inR t))” 

);; 


% 

M-Port controller state machine. 


■% 


let FSM.SPEC = new_definition 

(‘FSM.SPEC*, 

“I clkA clkB male.rn. rd_in bw_in ww_in last.in. mrdy.in. zero_cnt_in rst_in 
state male_ rd bw ww last_ mrdy. zero.cnt rst 
stateA address read write byte_write mem_enable 
address.out read.out wnte.out byte_write_out mem.enable.out . 

FSM_SPEC clkA clkB male.in. rd.m bw.in ww_m last _in_ mrdy_in_ zero_cnt_in rst_in 
state male_ rd bw ww last_ mrdy_ zero_cnt rst 
stateA address read write byte_write mem_enable 
address_out read_out write_out byte_write_out mem_enable_out = 

It: time. 

((clkA t) => 

((state (t+1) = state t) A 
(male_ (t+1) = male_ t) A 
(rd (t+1) = rd t) A 
(bw (t+1) = bw t) A 
(ww (t+1) = ww t) A 
(last_ (t+1 ) = last, t) A 
(mrdy_ (t+1 ) = mrdy_ t) A 
(zero.cnt (t+1) = zero.cnt t) A 
(rst (t+1) = rst t) A 
(stateA (t+1) sc 
((rst t) => MI I 

(state t = MI) => ((-(male, t)) => MA I MI)I 
(state t = M A) => ((-(mrdy. t) A (ww t)) => MW I 

(~(mrdy_ t) A ((rd t) V (bw t))) => MR I MA) l 
(state t = MR) => (((bw t) A (zero.cnt t)) -> MBW I 

((last, t) A (rd t) A (zero.cnt t)) => MA I 
(-(last, t) A (rd t) A (zero.cnt t)) => MRR I MR) I 
(state t = MRR) => MI I 

(state t = MW) => (((zero.cnt t) A -(last, t)) => MI I 

((zero.cnt t) A (last, t)) => MA I MW) I 
MW)) A 

(address (t+1 ) - (stateA (t+1) = MA)) A 
(read (t+1) = (stateA (t+1) = MR)) A 
(write (t+1) = (stateA (t+1) = MW)) A 
(byte.write (t+1 ) = (stateA (t+1) = MBW)) A 
(mem.enable (t+1) = -(stateA (t+1) - MI)))) A 
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((clkB t) => 

((state (t+1) = stateA t) A 
(male_ (t+1 ) = male_in_ t) A 
(rd (t+1) = rd.in t) A 
(bw (t+l) = bw_in t) A 
(ww (t+1) = ww_in t) A 
(last_ (t+1) = last.in. t) A 
(mrdy. (t+1) = mrdy_m_ t) A 
(zero_cnt (t+1 ) = zero.cn t.m t) A 
(ret (t+1) = rst_m t) A 
(stateA (t+1) = stateA t) A 
(address (t+1) = address t) A 
(read (t+1) = read t) A 
(write (t+1) = write t) A 
(byte_write (t+1) = byte_write t) A 
(mem.enable (t+1) = mem_enable t))) A 
((address.out t = address (t+1 )) A 
(read.out t = read (t+1 )) A 
(write_out t = write (t+1 )) A 
(byte.write.out t = byte.write (t+1 )) A 
(mem_enable_out t = mem_enable (t+1))) 


% 

M-Port Block. 


■% 


let M.Block.SPEC = new.definition 
(‘M.Block^SPEC, 

* 4 I (M.fsm.address M.fsm.read M__fsm_write M_fsm_byte_write M.fsm.mem.enable M_rdyA 

M_fsm_male_ M.fsm.rd M_fsm_bw M_fsm_ww M.fsm .last. M.fsm.mrdy. M.fsm.zero.cnt M_fsm_rst M.se 
M_wr M.rdy M.wwdel M_panty :(time->bool)) 

(M.addrA M_beA M.countA M.rd.dataA M.addr M_be M.count M.rd.data M.detect :(time->wordn)) 
(M_fsm_stateA M_fsm_state :(time->mfsm_ty)) 

(ClkA ClkB Rst Disable.eeprom Disable. writes I.male. I.last. I.mrdy. Edac.en. Reset_parity :(time->bool)) 
(I.ad.in I.be. MB.data.in :(time->wordn)) 

(I.sidy. MB.cs.eeprom. MB.cs.sram. MB.we. MB.oe. MB_panty :(time->bool)) 

(I.ad.out MB.addr MB.data.out :(time->wordn)) 

(repr^p.ty) . 

M.Block.SPEC (M.fsm.stateA, M.fsm.address, M.fsm.read, M_fsm_write, M.fsm.byte. write, M.fsm.mem.enable, 
M.addrA, M.beA, M.countA, M.rdyA, M .rd.dataA, M.fsm.state, M.fsm.male., M.fsm.rd, 
M.fsm.bw, M.fsm.ww, M.fsm.last., M.fsm _mrdy_, M_fsm.zero.cnt, M.fsm.rst, M.se, M.wr, 
M.addr, M.be, M.count, M.rdy, M.wwdel, M^parity, M.rd.data, M.detect) 

(ClkA, ClkB, Rst, Disable.eeprom, Disable.writes, I.ad.in, I.male., I.last., I.be., 

I.mrdy., MB.data.in, Edac.en., Reset_parity) 

(I.ad.out, I.srdy., MB.addr, MB.data.out, MB.cs.eeprom., MB.cs.sram., MB.we., MB.oe., 

MB .parity) 
rep = 


? male address read write byte. write mem.enable wr rd.mem wr^mem rdy.outQ srdy 
be ww bw zero.cn t rdy count.inDN count.inLD wwdel.inD wwdel.outQ edac.le 
rdy.outQ srdy. edac.en data.out detect.out data.inD detec t.inD detect.inE 
m.data.outQ m.detect.outQ mb.data.out mb.edata.out mb.wr.en. mb.wr.en 
memparity.inS memparity.inR memparity.inE . 
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(NOT_SPEC I_maJe_ male) A 

(SE_Logic_SPEC ClkA ClkB I_ad_in male mem_enable M_se MB_cs„eeprom_ MB_cs_sram_) A 
(WR_Logic_S PEC ClkA ClkB I_adjn male mem.enable M_wr wr rd joaem wr_mem) A 
( Addr_Ctr_S PEC ClkA ClkB I_ad Jn male rdy_outQ M_addr M.addrA MB_addr) A 
(BE_Logic_SPEC ClkA ClkB I_be_ male srdy wr_mem M_be M_beA be ww bw) A 
(Rdy_Logic_SPEC write read zero_cnt wr_mem rdy) A 

(Ctr_Logic_SPEC ClkA ClkB MB_cs_eeprom_ count JnDN count_inLD M_count M_countA zero_cnt) A 

(OR2_SPEC write read count JnDN) A 

(OR2_SPEC address byte_write count JnLD) A 

(AND2JPEC ww address wwdel_inD) A 

(DLAT_SPEC wwdel_inD ClkB M^wwdel wwdei_outQ) A 

( Enable_Log ic_S PEC MB_cs_eeprom_ rd_mem address read write byte.write wwdel_outQ 

Disable_eeprom Disable_writes MB_oe_ edacje MB_we_ mb_wr_enj A 
(DFF_SPEC rdy ClkA M_rdy M.rdyA rdy.outQ) A 
(Srdy_Logic_SPEC wr rdy rdy_outQ srdy_) A 
(TRIBUF_SPEC srdy_ mem_enable I_srdyJ A 
(NOT_SPEC srdy_ srdy) A 
(NOT_SPEC Edac_en_ edac_en) A 

( ED AC J)ecode_Log ic_S PEC rep MB.dataJn edac_en data_out detect_out) A 
(Read_Latches_S PEC rep ClkA ClkB data JnD edac_en edacje detect JnD detect JnE 
M_rd_data M_rd_dataA M_detect m_data_outQ m_detect_outQ) A 
(TRIBUF_SPEC m_data_outQ rd_mem I_ad_out) A 
( Detect Jin able__Log ic_S PEC edac_en rd_mem detect JnE) A 
(Mux_Out_Logic_SPEC m_data_outQ I_adjn be mb_data_out) A 
(Enc_Out_Logic_SPEC rep mb_data_out mb_edata_out) A 
(NOTJPEC mb_wr_en_ mb_wr_en) A 
(TRIBUF.SPEC mb_edata_out mb_wr_en MB_data_out) A 
(Memparity Jn_Logic_S PEC srdy mem_enable m_detect_outQ Rst Reset_parity 
memparity JnS memparity JnR memparity JnE) A 
(DSRELAT_SPEC GND memparity.mS memparity JnR memparity JnE ClkB 
M_parity MB_panty) A 

(FSMJPEC ClkA ClkB Lmale__ rd_mem bw ww IJast_ I_mrdy_ zero.cnt Rst 

M_fsm_state MJsm_male_ MJsm_rd MJsmJjw MJsmjww MJsmJast_ MJsm_mrdy_ 
M_fsm_zero_cnt M Jsmjrst 

M_fsm_stateA MJsm_address MJsm_read MJsm_write M_fsm_byte_write MJsm_mem_enable 
address read write byte_ write mem_eoable)” 

);; 

closeJheoryQ;; 
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B.3 R Port Specification 


File: r_blockjnl 

Author (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the gate-level specification of the R-Port of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory* Boeing High Technology Center. 


-% 


set_search_patb (search_path{) @ [*/home/titan3/dfura/ftep/piu/hol/lib/‘]);; 

system *rmr_bk>ck.th*;; 

new_theory *r_block*;; 

map loadf [ ‘abstract* ;‘buses_def ];; 

map new_parent [ ‘ gates.def ‘ ; 4 latches.def ; 4 ff s_def ; ‘ counter s_def ; ‘datapaths_def* ; ‘raux.def ‘ ; 4 aux_def; 

* array.def ; ‘ wordn_def ] ;; 

let r_state_ty = **:(rfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#wordn# 
bool#bool#wordn#wordn#bool#bool#wordD#wordn#bool#bool#wordn#wordn#bool#bool# 
wordn#bool#wonln#wordn#wordn# 

rfsmJy#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#wordD# 
bool#bool#bool#wordn#woidn#bool#wordn#bool#bool#bool#woidD#wordn#booBhvordn# 
bool#bool#bool#wordn#wordn#bool#wordD#bool#bool#bool#wordn#wordn#bool#bool# 
wordn#wordn#wordn#bool#wordn#bool#woidn#bool#wordn#bool)”;; 
let restate = “((R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO__disA, R_int3_en, R_int3_disA, 

R cOl.cout, R_c01 _cout_delA, R_c23_cout* R_c23_cout_delA. R_cntlatch_delA* R_srdy_delA_, 
R_reg_selA, R_ctiO, R_ctiO_ce, R_ctiO_cin, R_ctrO_outA, R_ctrl, R_ctrl_ce* R_ctrl_cin, 
R_ctrl_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA* R_ctr3, R_ctr3_ce, R_ctr3_cin, 
R_ctr3_outA, R_icr JoadA* R_icr_oldA, RJcrA, R_busAJatch, R_fsm_state, R_fsm_ale_, 
R_fsm_mrdy_, R_fsmjast_, R_fsm_rst, R_intO_dis* R_int3_dis, R_c01_cout_del, RJntl.en, 
R_c23_cout_del, RJnt2_en, R_wr* R_cntlatch_del* R_sxdy_del_, R_reg_sel* R_ctiO_in, 
R_ctrO_mux_sel* R_ctiO_irden* R_ctrO_cry, R_ctrO_new, R_ctiti_out, R_ctrO_orden, R_ctrl Jo* 
R_ctrl_mux_sel, R_ctrl_irden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_in* 
R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new* R_ctr2_out, R_ctr2_orden* R_ctr3_in* 

R ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R.ctr3_out* R_ctr3_orden, R Jcr Joad, 
Ricr.old, R.icr.mask* R_icr, R Jcr.rden, R_ccr, R_ccr_rden, R_gcr* R^gcrjrden, R_sr, 

R_sr_rden) 

:*r_state_ty)”;; 

let r_env_ty = *‘:(bool#bool#bool#wordD#bool#bool#wordn#bool#bool#bool#wordn#wordn#bool#bool# 
wordn#wordD#wordn#bool#bool#wordn )* * ; ; 

let r_env = “((ClkA, ClkB, Rst* I_ad_in, I_rale_, IJast_, I_be_, I_mrdy_, Disable Jnt, Disable. writes, 

Cpu_fail* Reset_cpu, Piujail, Pmm_fail, S_state, Id, ChannellD, CB_panty* MB_parity* C_ss) 
^envjy)”;; 
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let r.out.ty = M :(wordn#bool#bool#bool#bool#bool#wordn#wordD#bool#booir;; 

let r.out = “((I.ad.out, I.srdy., IntO., Inti, Int2, Int3_, Ccr, Led, Reset.error, Pmmjnvalid) 
^.out.ty)”;; 

let rep_ty = abstract.type ‘aux.def* ‘Andn 4 ;; 


% 

R-Port controller state machine. 


-% 


let FSM_SPEC = new.definition 

(‘FSM.SPEC*, 

44 1 (ClkA:time->bool) ClkB ale.m. mrdy.in. last.in. rst_in 
ale_ mrdy. last_ rst state 
cntlatch srdy_ (stateA:time->rfsm.ty) 
sO.out sl.out cntlatch.out srdy_out_ . 

FSM.SPEC ClkA ClkB ale_in_ mrdy.rn. last.in. rst_in 
ale_ mrdy_ last. rst state 
cntlatch srdy. stateA 
sO_out sl.out cntlatch.out srdy_out_ = 


It: time . 

((ClkA t) ==> 

((stateA (t+1) = ((rst t) => RI I 

((state t) * RI) => ((~ale_ t) => RA t RI) I 
((state t) = RA) => ((~mrdy_ t) => RD I RA) l 
((-last. t) => RI i RA))) A 
(cntlatch (t+1) = ((state t = RI) A -ale. t)) A 
(srdy_ (t+1) = -((state t = RA) A -mrdy. t)) A 
(state (t+1) = state t) A 
(ale. (t+1) = ale_ t) A 
(mrdy_ (t+1) = mrdy_ t) A 
(last, (t+1) = last, t) A 
(rst (t+1) = rst t))) A 
((ClkB t) ==> 

((stateA (t+1) = stateA t) A 
(cntlatch (t+1) = cntlatch t) A 
(srdy. (t+1) = srdy. t) A 
(state (t+1 ) = stateA t) A 
(ale. (t+1) = ale.in. t) A 
(mrdy. (t+1) = mrdy.in. t) A 
(last, (t+1) = last.in. t) A 
(rst (t+1) = rst.in t))) A 
((sO.out (t+1) = (stateA (t+1) = RD)) A 
(si. out (t+1) = ((stateA (t+1) = RA) V (stateA (t+1) = RD))) A 
(cntlatch.out t = cntlatch (t+1)) A 
(srdy.out. t = srdy. (t+1)))” 

);; 

% 

R.wr latch definition. 


-% 
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let Wr_Lat_SPEC = new_definition 
( 4 Wr_Lat_SPEC 4 , 

14 ! clkB (iad_in: time- > word n) wr_inE r_wr wr_outQ . 

Wr_Lat_SPEC clkB iad_in wr_inE r_wr wr_outQ = 

Itdme . 

((-(clkB t)) => (r_wr (t+1) = r_wr t)) A 

((clkB t) => (r_wr (t+1) = (wr_inE t) => (ELEMENT (iad_in t) (27)) I r_wr t)) A 
(wr_outQ t = r_wr (t+1 ))’* 

);; 

Ge Deration logic for control signals dp_read, rewrite, r_read, icr_rd_ec, srdy_en. 

% 


let RW_Sigs_SPEC = new_definition 
( t RW_Sigs_SPEC\ 

44 ! r_wr sO si disable_writes dp_read rewrite reread icr_id_en srdy_en . 
RW_Sigs_SPEC r_wr sO si disable^ writes dp_read r_write r_read icr_rd_en srdy_en = 
(!t:time . 

(dp_read t = (~r_wr t) A ((sO t) V (si t))) A 

(rewrite t = (~disable_ writes t) A (r_wr t) A (sO t) A (si t)) A 

(r_read t = (~r_wr t) A (~s0 t) A (si t)) A 

(icrjxLen t = (~s0 1) A (si t)) A 

(srdy_en t = (sO t) V (si t)))” 


R_reg_sel counter and logic. 


let Reg_Sel_Ctr_SPEC = new_definidon 
( 4 Reg_Sel_Ctr_SPEC * , 

44 ! clkA iad_in inL inU_ r_reg_sel r_reg_selA outQ . 

Reg_Sel_Ctr_SPEC clkA iad_in inL inU_ r_reg_sel r_reg_selA outQ = 

It: time . 

((clkA t) => 

((r_reg_sel (t+1) = r_reg_sel t) A 
(r _jeg_selA (t+1) = r_reg_sel t))) A 
(HclkAt))=> 

((*_reg_sel (t+1) = 

(inL t) => SUB ARRAY (iad_in t) (3,0) I 
(~inU_ t) => INCN 3 (r_reg_selA t) I r_reg_se!A t) A 
(r_jeg_selA (t+1) = r_reg_selA t))) A 
(outQ t = (~inU_ t) => INCN 3 (r_reg_selA (t+1 )) I r_reg_selA (t+1))” 

);; 


% 

Generation logic for register file control signals. 


■% 


let Reg_File_Ctl_SPEC = new_definition 
( ‘ Reg_File_Ctl_SPEC * t 
44 ! (reg__sel: dme->wordn) write read icr_rd_en 
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cir_wr01 cir_wr23 

cOir_wr cOu_rd cOor_rd clir.wr clir_rd clor_rd 
c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd 
icr_wi_feedb ack icr_select icr_rd 
ccr_wr ccrjrd gcr_wr gcr_rd sr_rd . 

Reg_File_Ctl_SPEC reg_sel write read icr_rd_en 
cir_wr01 cir_wr23 

cOir_wr cOir_rd cOor_rd clir_wr clirj-d clor_rd 
c2it_wt c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd 
icr_wr_feedback icr_select icr_rd 
ccr_wr ccr_rd gcr_wr gcr_rd sr_rd = 

(!t:time . 

(cir wiOl t = (write t) A (((reg_sel t) = WORDN 8) V ((reg_sel t) = WORDN 9))) A 

(cirlwr23 t = (write t) A (((reg_sel t) = WORDN 10) V ((reg_sel t) = WORDN 11 ))) A 

(cOir_wr t = (write t) A ((reg sel t) = WORDN 8)) A 

(cOir_rd t = (read t) A ((reg_sel t) = WORDN 8)) A 

(cOor_rd t = (read t) A ((reg_sel t) = WORDN 12)) A 

(clir_wr t = (write t) A ((reg_sel t) = WORDN 9)) A 

(clir_rd t = (read t) A ((reg_sel t) = WORDN 9)) A 

(clor_rd t = (read t) A ((reg_sel t) = WORDN 13)) A 

(c2ir_wr t = (write t) A ((reg_sel t) = WORDN 10)) A 

(c2ir_rd t = (read t) A ((reg_sel t) = WORDN 10)) A 

(c2or_rd t = (read t) A ((reg^sel t) = WORDN 14)) A 

(c3ir_wr t = (write t) A ((reg_sel t) * WORDN 11)) A 

(c3ir_rd t = (read t) A ((reg_sel t) » WORDN 1 1)) A 

(c3or^rd t = (read t) A ((reg_sel t) = WORDN 15)) A 

(icr_wr_feedb ack t = (write t) A (((regjrel t) = WORDN 0) V ((reg_sel t) = WORDN 1 ))) A 
(icr select t = ~((reg_sel t) = WORDN 1)) A 

(icrjrd t = (icr_rd_en t) A (((reg^sel t) = WORDN 0) V ((reg_sel t) = WORDN 1») A 

(ccr_wr t = (write t) A ((reg_sel t) = WORDN 3)) A 

(ccr_rd t = (read t) A ((reg_sel t) = WORDN 3)) A 

(gcr_wr t = (write t) A ((reg_sel t) - WORDN 2)) A 

(gcr_rd t = (read t) A ((reg_sel t) = WORDN 2)) A 

(sr_rd t = (read t) A ((reg_sel t) = WORDN 4)))” 

);; 


Input logic for R_intl_en, R_int2_en latches. 


let Ctr_Int_Logic_SPEC = new_definition 
(*Ctr _InLLogic_SPEC‘ t 

“1 one_shot interrupt reload cout cout_del cir_wr 
int_en_inR int_en_inS int_en_inE c_ld . 

Ctr_Int_Logic_SPEC one_shot interrupt reload cout cout_del cir_wr 
int_en_inR int_en_inS int_en_inE c_ld = 

(tt:time . 

(int_en_inR t = (one_sbot t) A (cout_del t) V (-interrupt t)) A 
(int_en_inS t = (interrupt t) A ((cout t) A (reload t) V (cir_wr t))) A 
(int_en_inE t = (one.shot t) A (cout.del t) V (-internet t) V 

(interrupt t) A ((cout t) A (reload t) V (cir_wr t))) A 
(cjd t = (cout t) A (reload t) V (cir_wr t))) M 
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-% 


% 

Input logic for R_mtO_eo, R_int3_en latches. 


let And_Tree_SPEC = new_definition 
( 4 And_Tree_SPEC\ 

“I icr outOoutS . 

And_Tree_SPEC icr outO out3 = 

(!t:dme . 

(outO t = (ELEMENT (icr t) (0)) A (ELEMENT (icr t) (8)) V 
(ELEMENT (icr t) (1 )) A (ELEMENT (icr t) (9)) V 
(ELEMENT (icr t) (2)) A (ELEMENT (icr t) (10)) V 
(ELEMENT (icr t) (3)) A (ELEMENT (icr t) (11)) V 
(ELEMENT (icr t) (4)) A (ELEMENT (icr t) (12)) V 
(ELEMENT (icr t) (5)) A (ELEMENT (icr t) (13)) V 
(ELEMENT (icr t) (6)) A (ELEMENT (icr t) (14)) V 
(ELEMENT (icr t) (7)) A (ELEMENT (icr t) (15))) A 
(out3 t = (ELEMENT (icr t) (16)) A (ELEMENT (icr t) (24)) V 
(ELEMENT (icr t) (17)) A (ELEMENT (icr t) (25)) V 
(ELEMENT (icr t) (18)) A (ELEMENT (icr t) (26)) V 
(ELEMENT (icr t) (19)) A (ELEMENT (icr t) (27)) V 
(ELEMENT (icr t) (20)) A (ELEMENT (icr t) (28)) V 
(ELEMENT (icr t) (21)) A (ELEMENT (icr t) (29)) V 
(ELEMENT (icr t) (22)) A (ELEMENT (icr t) (30)) V 
(ELEMENT (icr t) (23)) A (ELEMENT (icr t) (31))))” 

);; 


Generation logic for Int0__, Int3_ signals. 




let Reg_Int_Log ic_S PEC = new_definition 
( 4 Reg_Int_Log ic_SPEC 4 , 

44 ! int0_en int0_dis mt3_eo int3_dis disable_int int0_ int3_ . 

Reg Int Logic SPEC intO_en intO_dis int3_en int3_dis disable_int int0_ int3_ = 
(lt:time . 

(int0_ t = ~((int0_en t) A (-int0_dis t) A (~disable_int t))) A 
(int3_ t = ~((int3_en t) A (~int3_dis t) A (~disable_int t))))” 


% 

Virtual logic to package several R-Port inputs into single SR input word. 

% 


let SR_Inputs_SPEC = new_definition 
( 4 S R_Inputs_S PEC 4 , 

”! cpu_fail reset_cpu piu_fail pmm_fail s_state 

id channellD cb^parity c_ss mb_parity (sr_inp:time->wordn) . 
SR_lnputs_SPEC cpu_fail reset_cpu piu_fail pmm_fail s_state 

id channellD cb^parity c_ss mb_parity sr_inp = 

ittiine . 

let al = (MALTER ARBN (1,0) (cpu.fail t)) in 
let a3 = (MALTER al (3,2) (reset_cpu t)) in 
let a5 = (ALTER a3 (8) (piu_fail t)) in 
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let a6 = (ALTER a5 (9) (pmm.fail t)) in 
let a7 = (MALTER a6 (15,12) (s.state t)) in 
let a8 = (MALTER a7 (21,16) (id t)) in 
let a9 = (MALTER a8 (23,22) (channellD t)) in 
let alO = (ALTER a9 (24) (cb_parity t)) in 
let all = (MALTER alO (27,25) (c.ss t)) in 
let al2 = (ALTER all (28) (mb^parity t)) in 
(sr.inp t = al2) M 


% 

Virtual logic to distribute single GCR output word as several pieces. 


■% 


let GCR.Outputs.SPEC = new.definition 
(‘GCR.Outputs.SPEC * , 

44 ! (gcr_o ut : time-> wordn) 

ledreloadOl oneshotOl interruptOl enableOl 

reload23 oneshot23 interrupt23 enable23 reset_error pmm.invalid . 

GCR.Outputs.SPEC gcr.out led reloadOl oneshotOl interruptOl 

enableOl reload23 oneshot23 interrupt23 enable23 reset.error pmm_in valid = 

Ittime . 

(led t = SUB ARRAY (gcr.out t) (3,0)) A 
(reloadOl t = ELEMENT (gcr.out t) (16)) A 
(oneshotOl t = ELEMENT (gcr.out t) (17)) A 
(interruptOl t = ELEMENT (gcr.out t) (18)) A 
(enableOl t = ELEMENT (gcr.out t) (19)) A 
(reload23 t = ELEMENT (gcr.out t) (20)) A 
(onesbot23 t = ELEMENT (gcr.out t) (21)) A 
(interrupt23 t = ELEMENT (gcr.out t) (22)) A 
(enable23 t = ELEMENT (gcr.out t) (23)) A 
(reset.error t = ELEMENT (gcr.out t) (24)) A 
(pmm.in valid t = ELEMENT (gcr.out t) (28))” 


% 

Virtual logic to generate the 12 tristate driver enables for datapath Bus A. 


% 


let Bus.Enab.SPEC = new.definition 

( 1 Bus.Enab.SPEC ‘ , 

“I c)kA r.ctrO.irden r.ctrO.orden r.ctr l.irden r.ctrl.orden r_ctr2.irden r.ctr2_orden 
r_ctr3_irden r_ctr3.orden r.icr.rden r.ccr.rden r_gcr_rden r.sr.rden 
busA.cO.enl busA_c0_en2 busA.cl.enl busA_cl_en2 busA_c2_enl busA_c2_en2 
busA_c3_enl busA_c3_en2 busA.icr.en busA.ccr.en busA_gcr.en busA.sr.en . 

Bus.Enab.SPEC clkA r.ctrO.irden r.ctrO.orden r.ctr l.irden r.ctrl.orden r_ctr2_irden r.ctr2.orden 
r_ctr3_irden r_ctr3_orden r.icr.rden r.ccr.rden r^cr.rden r.sr.rden 
busA.cO.enl busA.c0.en2 busA.cl.enl busA.cl_en2 busA.c2.enl busA_c2.en2 
busA_c3.enl busA.c3_en2 busA.icr.en busA.ccr.en busA^cr.en busA.sr.en = 

Ititime . 

(busA.cO.enl t = (clkA t) A (r.ctrO.irden t)) A 
(busA_cO_en2 t = (clkA t) A (r.ctrO.orden t)) A 
(busA.cl.enl t = (clkA t) A (r.ctrl.irden t)) A 
(busA_cl_en2 t = (clkA t) A (r.ctrl.orden t)) A 
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(busA_c2_enl t = (clkA t) A (r_ctr2Jrden t)) A 
(busA_c2_ea2 1 = (clkA t) A (r_ctr2_orden t)) A 
(busA_c3_enl t = (cikA t) A (r_ctr3_irden t)) A 
(busA_c3_ea2 t = (clkA t) A (r_ctr3_ordeD t)) A 
(busA_icr_en t = (clkA t) A (rjcr.rdeo t)) A 
(busA.ccr.en t = (clkA t) A (r_ccr_rden t)) A 
(busA_gcr_en t = (clkA t) A (r_gcr_rden t)) A 
(busA.sr.en t = (clkA t) A (r.sr.rden t))” 


R-Poit block. 


let R.Block.SPEC = new.defimtion 
(*R_Block_SPEC\ 

14 ! (repr'Vep.ty) 

(R.fsm.stateA R.fsm.state :time->rfsm_ty) 

(R_reg_seLA R_ctrO R_ctiO_outA R.ctrl R_ctrl_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA 
RJcrA R_busA_latch R_reg_sel R_ctrO_in R_ctiO_new R_ctrO_out R.ctrl .in R.ctrl.new R.ctrl .out 
R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_oid R.icrjnask R _icr 
R_ccr R_gcr R.sr :time->wordn) 

(R_fsm.cn tlatch R.fsm.srdy. R_mtO_en R.intO.disA R_int3_en R_int3_disA R.cOl.cout R_c01.cout.delA 
R_c23_cout R_c23_cout_delA R_cntlatch_delA R.srdy.delA. R_ctxO.ee R.ctrO.cin R.ctrl.ce R.ctrl.cin 
R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R.fsm.mrdy. R.fsm.last. R.fsm.rst 
R_intO_dis R_int3_dis R_c01_cout_del R.intl.en R_c23_cout_del R_int2_en R.wr R.cntlateh.del 
R_srdy_del_ R_ctrO_mux_sel R_ctrO_irden R.ctiO.cry R_ctrO_orden R.ctrl .mux.sel R.ctrl Jrden 
R.ctrl .cry R.ctrl _or den R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3.mux_sel 
R_ctr3_irden R_ctr3_cry R_ctr3_ordec R_icr_load R_icr_rden R.ccr.rden R_gcr_rden 
R.sr.rden :time->bool) 

(I.ad.in I_be_ Cpu.fail Reset.cpu S_state Id ChannellD C.ss :time->wordn) 

(ClkA ClkB Rst I_rale_ IJast. I_mrdy_ Disable.int Disable.wri tes Piu_fail Pmm.fail 
CB_parity MB .parity :time->bool) 

(I_ad_out Ccr Led :time->wordn) 

(I.srdy. IntO_ Inti Int2 Int3_ Reset_error Pmm_in valid :time->bool) . 

R.Block.SPEC rep 

(R.fsm.stateA, R_fsm_cntlatch, R.fsm.srdy., R.intO.en, R.intO.disA, R.int3_en, R_int3_disA, 
R.cOl.cout, R_c01.cout.del A, R_c23_cout, R.c23_cout_delA, R.cntlatcb.deLA, R.srdy.delA., 
R_reg_selA, R.ctrO, R.ctrO.ce, R.ctrO.cin, R.ctiO.outA, R.ctrl, R.ctrl.ce, R_ctrl_cin, 

R.ctrl _outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R.ctr3_cin, 
R_ctr3_outA, R_icr_loadA, R_icr_oldA, RJctA, R.busAJateh, R.fsm.state, R.fsm.ale., 
R.fsm.mrdy., R.fsm.last., R.fsm.rst, R_intO_dis, R_int3_dis, R_c01.cout.del, R.intl.en, 
R_c23_cout_del, R.int2.en, R.wr, R.cntlateh.del, R.srdy.del., Rregsel, R.ctrO.in, 
R_ctrO_mux_sel, R.ctrO.irden, R.ctiO.cry, R.ctiO.new, R.ctrO.out, R.ctiO.orden, R.ctrl.in, 
R_ctrl.mux.sel, R.ctrl.irden, R.ctrl.cry, R.ctrl.new, R.ctrl.out, R.ctrl.orden, R_ctr2_in, 
R_ctr2_mux_sel , R_ctr2.irden, R_ctr2_cry, R_ctr2_new > R.ctr2_out, R.cti2_orden, R_ctr3_in, 
R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R.ctr3.out, R_ctr3.orden, R.icrjoad, 
R.icr.old, R.icr.mask, R.icr, R.icr.rden, R_ccr, R.ccr.rden, R_gcr, R_gcr_rden, R.sr, 
R.sr.rden) 

(ClkA, ClkB, Rst, I.ad.in, I.rale., I.last., I_be_, I.mrdy., Disable.int, Disable.wri tes, 

Cpu.fail, Reset.cpu, Piu.fail, Pmm.fail, S.state, Id, ChannellD, CB_parity, MB parity, C.ss) 

(I.ad.out, I_srdy_, Into., Inti, Int2, Int3_, Ccr, Led, Reset.error, Pmm.invalid) = 

? fsm.sO fsm.sl fsm.cntlatch fsm.srdy. srdy.en wr.inE wr.outQ 
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dp_read r_write r_read icr_rd_en cl3orJd srdy.del.outQ. reg_sel 
icr.rd.en r.cir.wiOl r_cir_wr23 cOu_wr cOir_rd cOor_rd clir_wr clir_rd clor_rd 
c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir _rd c3or_rd icr_wr_feedback icr.select icr_rd 
ccr_wr ccr.rd gcr.wr gcr_rd sr_rd icr_ld c01_cout cOl.cout.outQ c01_cout_deIA_outQ 
c23_cout c23_cout_outQ c23.cout_deLA.outQ 

oneshotOl interruptOl reloadOl intl.en.inR intl.en.inS intl.en.inE intl.en.outQ c01_ld 
oneshot23 intenupt23 reload23 int2_en_mR mt2.en.inS int2_en_inE int2_.en.oulQ c23 Jd 
enabled enable23 cO_cout c2_cout ccr.out gcr.out sr_inp 

disable.int. intO.en.inD intO.en.outQ intO.dis.outQ mt3_en_inD int3_en_outQ int3.dis.outQ 
icr.out Bus A BusB.in busA.latch.out 

(BusA.cO.outl BusA_c0.out2 BusA.cl.outl BusA_cl_out2 BusA_c2.outl BusA_c2.out2 
BusA.c3_outl BusA.c3_out2 BusA.icr.out BusA.ccr.out BusA_gcr_out BusA.sr.out :time->wordn) 
(BusA.cO.eni BusA_cO_en2 BusA.cl.enl BusA_cl_en2 BusA.c2_enl BusA_c2_en2 
BusA_c3_enl BusA_c3.en2 BusA.icr.en BusA_ccr_en BusA_gcr_en BusA.sr.en :time->bool) 


(FSM.SPEC ClkA ClkB I.rale. I.mrdy. I .last. Rst 

R.fsm.ale. R_fsm_mrdy_ R.fsm.last. R.fsm.rst R.fsm.state 
R_fsm_cntlatch R.fsm.srdy. R.fsm.stateA 
fsm.sO fsm.sl fsm.cntlatcb fsm.srdy.) A 
(TRIBUF.SPEC fsm.srdy. srdy.en I.srdy.) A 
(NOT.SPEC I.rale. wr.inE) A 

(Wr.Lat.SPEC ClkB I.ad.in wr.inE R.wr wr.outQ) A 

(RW.Sigs.SPEC wr.outQ fsm.sO fsm.sl Disable.writes dp.read r.write r.read icr.rd.en srdy.en) A 
(DFF.SPEC fsm.cntlatch ClkA R.cntlatch.del R.cntlatch.delA cl3or_id) A 
(DFF.SPEC fsm.srdy. ClkA R.srdy.del. R.srdy.delA. srdy.del.outQJ A 
(Reg.Sel.Ctr.SPEC ClkA I.ad.in wr.inE srdy.del.outQ. R_reg_sel R.reg_selA reg_sel) A 
(Reg_File_Ctl_SPEC reg_sel r.write r.read icr_rd_en 
r.cir.wrOl r_cir.wr23 

cOir.wr cOir.rd cOor.rd clir.wr clir.rd clor.rd 
c2ir.wr c2ir_rd c2or.rd c3ir.wr c3ir_rd c3or_rd 
icr.wr.feedback icr_s elect icr.rd 
ccr.wr ccr.rd gcr.wr gcr.rd sr.rd) A 
(DFF.SPEC icr.wr.feedback ClkA R.icr.load R _icr JoadA icr.ld) A 
(DLAT.SPEC cOl.cout ClkA R.cOl.cout cOl.cout.outQ) A 
(DLAT.SPEC c23_cout ClkA R.c23_cout c23_cout_outQ) A 

(DFF.SPEC cOl.cout.outQ ClkA R_c01.cout.del R.cOl.cout.delA cO 1 _cout.delA.outQ) A 
(DFF.SPEC c23.cout.outQ ClkA R_c23_cout_del R_c23.cout.delA c23.cout.delA.outQ) A 
(Ctr.Int_Logic.SPEC oneshotOl interruptOl reloadOl cOl.cout.outQ c01.cout_delA.outQ 
r_cir.wrO 1 intl.en.inR intl.en.inS intl.en.inE cOl.ld) A 
(Ctr.Int_Logic.SPEC oneshot23 interrupt23 reload23 c23_cout_outQ c23.cout.delA.outQ 
r_cir_wr23 int2.en_inR mt2_en_inS int2_en_inE c23.1d) A 
(DSRELAT.SPEC GND intl.en.inS intl.en.inR intl.en.inE ClkB R.intl.en intl.en.outQ) A 
(DSRELAT.SPEC GND int2_en_inS int2_en_inR int2_en_inE ClkB R_int2_en int2_en.outQ) A 
(NOT.SPEC Disable.int disable.int.) A 
(AND3.SPEC cOl.cout.outQ intl.en.outQ disable.int. Inti) A 
(AND3.SPEC c23_cout_outQ int2_en_outQ disable.int. Int2) A 
(And.Tree.SPEC icr.out intO.en.inD int3_en_inD) A 
(DLAT.SPEC intO.en.inD ClkA R.intO.en intO.en.outQ) A 
(DLAT.SPEC int3.en_inD ClkA R_int3_en int3_en_outQ) A 
(DFF.SPEC intO.en.outQ ClkA R.intO.dis R.intO.disA intO.dis.outQ) A 
(DFF.SPEC int3_en_outQ ClkA R.int3.dis R_int3_disA int3_dis_outQ) A 
(Reg.Int.Logic.SPEC intO.en.outQ intO.dis.outQ int3_en_outQ int3.dis.outQ 
Disable.int Into. Int3_) A 
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(DLXTn_SPEC Bus A ClkA R_busAJatch busAJatch_out) A 
(TRIBUF_SPEC busAJatch_out dp_read Lad_out) A 
(BUF_SPEC I_adjn BusBJn) A 

( DP_CTR_S PEC ClkA ClkB BusBJn cOir_wr cOlJd cOir.rd cnableOl VDD fsm_cntlatch 

cOor_rd R_ctrOJn R_ctrO_mux_sel R_ctiO_irden R_ctxO R_ctrO_ce R_ctK)_cin 
R_ctrO_cry R_ctrO_new R_ctrO_outA R_ctiO_out R_ctrO_orden 
BusA_cO_outl BusA_cO_out2 cO_cout) A 

(DP_CTR_SPEC ClkA ClkB BusBJn clir_wr cOl Jd clir_rd VDD cO.cout cl3orJd 

clor_rd R_ctrl Jn R_ctrl _mux_sel R_ctrl_irden R_ctrl R_ctrl_ce R_ctrl_cin 
R_ctrl_cry R_ctrl_new R_ctrl_outA R_ctrl_out R_ctrl_orden 
BusA_cl_outl BusA_cl_out2 c01_cout) A 

(DP_CTR_SPEC ClkA ClkB BusBJn c2ir_wr c23 Jd c2irj*d enable23 VDD fsm_cntlatch 

c2or_rd R_ctr2_in R_ctr2_mux_sel R_cti2_irden R_ctr2 Rjctr2_.cc R_ctr2_cin 
R_ctr2_cry R_ctr2_new R_ctr2_outA R_ctr2_out R_ctr2_orden 
BusA_c2_outl BusA_c2_out2 c2_cout) A 

(DP_CTR_SPEC ClkA ClkB BusBJn c3ir_wr c23 Jd c3ir_rd VDD c2_cout cl3orJd 

c3or_rd R_ctr3_in R_ctr3 _mux_sel R_ctr3_irden R_ctr3 R_ctr3_ce R_ctr3_cin 
R_ctr3_cry R_ctr3_new R_ctr3_outA R_ctx3_out R_ctr3_orden 
BusA_c3_outl BusA_c3_out2 c23_cout) A 

(DPJCR_SPEC rep ClkA ClkB BusA BusBJn icr_wr_feedback icr_rd icr_select RJcr_loadA icr_rd 
R Jcr_oldA RJcr_old R Jcr_mask RJcrA R Jcr R Jcr_rden 
BusA_icr_out icr_out) A 

(DP_CR_SPEC ClkA ClkB BusBJn ccr_wr co_rd R_ccr R_ccr_rden BusA_ccr_out ccr_out) A 
(DP_CR_SPEC ClkA ClkB BusBJn gcr_wr gcr_rd R_gcr R_gcr_rden BusA_gcr_out gcr_out) A 
(GCR_Outputs_SPEC gcr_out Led reloadOl oneshotOl interrupt) 1 

enabled reload23 oneshot23 interrupt23 enable23 Reset_error Pmmjnvalid) A 
(SRJnputs_SPEC Cpujail Reset_cpu Piu_fail Pmm_fail S_state 

Id ChannclID CB_parity C_ss MBjparity sr_inp) A 
(DP_SR_SPEC ClkA ClkB srjnp fsm_cntlatch sr_rd R_sr R_sr_rden BusA_sr_out) A 
(Bus_Enab_SPEC ClkA R_ctrO_irden R_ctrO_orden R_ctrl_irdcn R_ctrl_orden R_cti2Jrden R_ctr2_orden 
R_ctr3Jrden R_ctr3_orden R Jcr jrdcn R_ccr_rden R^gajrden R_sr_rden 
BusA_cO_enl BusA_cO_en2 BusA_cl_enl BusA_cljen2 BusA^c? jenl BusA_c2_en2 
BusA_c3_enl BusA_c3_en2 BusAJcr_cn BusA_ccr_en BusA_gcr_en BusA_sr_en) A 
(Bus_12_l_SPEC BusA_cO_outl BusA_cO_out2 BusA_cl_outl BusA_cl_out2 BusA_c2_outl BusA_c2_out2 
BusA_c3_outl BusA_c3_out2 BusAJcr_out BusA_ccr_out BusA_gcr_out BusA_sr_out 
BusA_cO_enl BusA_cO__en2 BusA_cl_enl BusA_cl_en2 BusA_c2_enl BusA_c2_en2 
BusA_c3_enl BusA_c3_en2 BusAJcr_en BusA_ccr_en BusA_gcr_en BusA_sr_en BusA)” 

);; 

cbse_thcory();; 
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B.4 C Port Specification 


File: 

c_block.ml 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the gate-level specification of the C-Port of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 


— 1 % 


set_search_patb (search_patb() ® ['/home/titan3/dfura/ftep/piu/hol/lib/‘l);; 
system ‘rm c_bk>dc.th‘;; 


new_tbeory 4 c_block 1 ;; 


loadf ‘abstract 4 ;; 

map new _parent ('gates_def‘;'latches_def ;‘£fs_def‘;‘counters_def‘;‘caux_def‘;‘aux_def ;‘array_def ;‘wordn_def'];; 

let MSTART = “WORDN 4”;; 
let MEND = “WORDN 5”;; 
let MRDY = “WORDN 6”;; 
let MWAIT = “WORDN 7”;; 
let MABORT = “WORDN 0”;; 

let SACK = “WORDN 5”;; 
let SRDY = “WORDN 6”;; 
let SWAIT = “WORDN 7”;; 
let SABORT = “WORDN 0”;; 

let c_state_ty = “:(cmfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool# 

wordn#bool#bool#bool#bool#bool# 

csfsm_ty#wordo#bool#boo!#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool# 

cefsm_ty#bool# 

bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool#bool#bool#wordn#wordn#wordn# 

cmfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool# 

csfsm_ty#bool#bool#bool#bool#bool#bool#wordn# 

cefsm_ty#bool#bool#bool#bool#bool#bool# 

bool#wordn#bool#bool#bool#boot#bool#wordn#bool#bool#bool#bool#bool#bool#bool# 

bool#bool#woi^D#wordn#wordn)’*;; 

let c_state = “((C_mfsm_stateA,C_mfsm_mabort,C_mfsm_midle > C_mfsm_mrequest,C_|nfsm_ma3,Cjnfsm_ma2,C jnfsm_mal , 

C_mfsm_maO,C_mfsm_mdl,C_mfsm_mdO,C_mfsm_iad_en_m,C_infsm_m_cout_sell,C_mfsm_m_cout_selO, 

C_mfsm_ms,C_mfsm_rqt_,C_mfsm_cgnt_,C_mfsm_cm_en,C_mfsm_abort_le_en_,C_mfsm_piparity, 

C sfsm stateA,C_sfsm_ss,C_sfsm_iad_en_s,C_sfsm_sidle,C_sfsm_slock,C_sfsm_sal ,C_sfsm_saO, 

C_sfsm_sale,C_sfsm_sdl,C_sfsm_sdO,C_sfsm_sack,C_sfem_sabort,C_sfsm_s_cout_selO,C_sfsm_sparity, 

C_efsm_stateA,C_efsm_srdy_en, 

C_clkAA,C_sidle_delA,C_mrqt_delA,C_last_inA_ > C_ssA,C_holdA_,C_id_srdy,C_cout_0_le_delA 1 
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C_cin_2_le A ,C_mrd y_delA^C_iad_en_s_delA ,C_wrdy A,C _rrdyA,C_iad_out,C_a 1 aO,C_a3a2 , 
C_mfsm_state,C_mfsm_srdy_en,C _jnfsm_D ,C_mfsm _grant,C_mfsm _j-8t,C_mfsm_busy,C_mfsm_wnte, 
C_mfsm_crqt_,C_mfsm_hold_,C ^fsm_last_,C_mfsm_lock_,C_mfsm_ss > C_mfsm_uivalid, 

C_sfsm_state,C_sfsm_D ( C_sfsm_grant,C_sfsm_rst,C_sfsm_write,C_sfsm_addressed,C_sfsm_hlda_,C_sfsm_ms, 

C_efsm_state,C_efsm_cale_,C_efsmJast_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, 

C_wr,C_sizewrbe,C_clkA,C_sidle_del,C_mTqt_del,C_last_in_,C_lock_iii_,C_ss,C_last_out_, 

C_hold_,C_cout_0_le_dcl,C_cin_2_le,C_mrdy_deI_,CJad_en_s_del,C_wrdy 1 

C_rrdy,C_panty,C_sourcc,C_data_in,C_iad_in) 

:Ac_state_ty) M ;; 

let c_env_ty = ‘^(wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool# 

wordD#wordD#wordD#wordn#bcK)l#bool#bool#bool#wordD#wordn#bool#bool#wordD#bool) >> ;; 

let c_env = “((Lad_in, I_be_m_, I_mrdy_io_, I_rale_m_, Lmale_in_, I_last_in_, Lsrdy_in_, 

I_lock_, I_cale_, Lhlda_, I_crqt_, 

CB_rqt_in_, CB_ad_in, CB_ms_io, CB_ss_in, 

Rst, ClkA, ClkB, ClkD, Id, ChannellD, Pmm_failure, Piu_invalid, Ccr, Reset_error) 

: A c_env_ty)”;; 

let c_out_ty = 4 ‘:(bool#bool#bool#bool#bool#bool#bool#wordD#wordn# 
bool#wordn#worda#woniD#wordD#bool#bool) > ’;; 
let c_out = M ((I_cgnt_, I_mrdy_out_, I_hold_, I _jale_out_, I_male_out_, I_last_out_, I_srdy_out_, 

I_ad_out, I_be_out_, 

CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_panty) 

: A c_out_ty)”;; 

let rep_ty = abstract_type 4 aux_def 4 Andn‘;; 


% 

Input logic for C_last_in_ flip-flop. 


■% 


let Last_Logic = new_defioition 
(‘Last_Logic‘, 

“! rst clkD mfsm_md 1 mfsm_mabort last_in_inE . 

Last_Logic rst clkD mfsm_md 1 mfsm_mabort last_in_inE = 

Ittime . 

(lastJnJnE t = (rst t) V ((clkD t) A (mfsm_mdl t)) V (mfsm_jn abort t))” 

);; 


Input logic for C_last_out_ latch. 

I % 


let Hold_Logic = new_definition 
(‘HokLLogic*, 

44 1 (cb _jns:time->wordn) clkD sfsm_sal last_out_inS last_out_inR last_out_inE . 
Hold_Logic cb_ms clkD sfsm_sal last_out_inS last_out_inR last_out_inE = 

Ittime . 

(last_out_mS t = sfsm_sal t) A 

(last_out_inR t = (clkD t) A ((cb_ms t = A MEND) V (cb_ms t = A MABORT))) A 
(last_out_inE t = (last_out_inS t) V (last_out_mR t))" 
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Generation logic for counsel signal. 


■% 


let Cout_Sel_Logic_SPEC = new_definition 
( 4 Cout_SeLLogic_SPEC\ 

w ! sfsm_s_cout_selO mfsm_m_cout_sel 1 mfsm_m_cout_selO sfsm_sdO sfsm_sdl (counsel: time ->wordn) . 
Cout_Sel_Logic_S PEC sfsm_s_cout_selO mfsm_m_cout_sell mfsm_m_cout_seK) sfsm_sdO sfsm_sdl cout.sel 
It: time . 

(cout_sel t = ((sfsm_sdO t) V (sfsm_sdl t)) 

=> (let al = (ALTER (couLsel t) 0 (sfsm_s_cout_selO t)) 
in (ALTER al 1 F)) 

I (let al - (ALTER (cout_sel t) 0 (mfsm_m_cout_selO t)) 
in (ALTER al 1 (mfsm_m_cout_sel 1 t))))” 

);; 


% 

Generation logic for srdy signal. 


-% 


let Srdy_In_Logic_SPEC = new_definition 
(‘ Srdy_In_Logic_SPEC 4 , 
w ! (cb_ss: time->wordn) dfsm_srdy . 
Srdy_In_Logic_SPEC cb_ss dfsm_srdy = 

It: time. (dfsm_srdy t = (cb_ss t = A SRDY))” 

);; 


% 

Input logic for C_wrdy, C_rrdy latches. 


let Rdy_Logic_SPEC = new_definition 
(*Rdy_Logic_SPEC 

** | mfsm_mdO mfsm_mdl clkD write srdy wrdyJnD rrdyJnD . 
Rdy_Logic_SPEC mfsm.mdO mfsm.mdl clkD write srdy wrdyJnD rrdyJnD = 
It: time . 

(wrdyJnD t = (srdy t) A (write t) A (mfsm_mdl t) A (clkD t)) A 
(rrdyJnD t = (srdy t) A -(write t) A (mfsm_mdO t) A (clkD t))” 

);; 

Generation logic for I_srdy_out_ signal. 


-% 


let ISrdy_Out_Logic_SPEC = new_definition 
(‘ ISrdy_Out_Logic_SPEC * , 

“ I wrdyA.outQ rrdyA_outQ fsm.mabort cale_ srdy_en isrdy_inD isrdyJnE . 

ISrdy_Out_Logic_SPEC widyA.outQ rrdyA_outQ fsm.mabort cale_ srdy_en isrdyJnD isrdy JnE = 
It time . 

(isrdy.inD t = -((wrdyA.outQ t) V (rrdy A_outQ t) V (fsm_mabort t))) A 
(isrdy_inE t = ~(cale_ t) V (srdy_en t))” 


% 

Generation logic for CBss_out signal. 


105 



~% 


let CBss_Out_Logic_SPEC = new_definition 
( 4 CBss_Out_Logic_SPEC\ 

44 ! (sfsm_ss: time -> word n) pmm_failure piu_valid cbss_out . 

CBss__Out_Logic_SPEC sfsm_ss pmm_failure piu_valid cbss_out = 

Itdme . 

(cbss_out t = (let al » (MALTER (cbss_out t) (1 ,0) (SUB ARRAY (sfsm_ss t) (1,0))) 

in (ALTER al (2) ((ELEMENT (sfsm_ss t) (2)) A (pmmjailure t) A (piu_valid t) ))))” 




% 

Generation logic for CBms_out signal. 

% 


let CBms_Out_Logk_SPEC = new_definition 
( 4 CBms_Out_Logic_SPEC‘, 

44 ! (mfsm_ms:time->wordn) pmm_failure pi u_ valid cbms_out . 

CBms_Ou t_Log ic_S PEC mfsm_ms pmm_f allure pi u_ valid cbms_out = 

It: time . 

(cbms_out t = (let al = (MALTER (cbms_out t) (1,0) (SUB ARRAY (mfsm_ms t) (1,0))) 

in (ALTER al (2) ((ELEMENT (mfsmjns t) (2)) A ~(pmm_failure t) A ~(piu_valid t)))))” 




Generation logic for cout_l_le signal. 

% 


let Cout_l_Le_Logic_SPEC = new_definidon 
( ‘ Co ut_ 1 _Le_Log ic__S PEC 1 , 

“1 dfsm_m aster cout_0_le__del dfsm_cout_l_le coutlje . 

Cout_ l_Le_Logic_S PEC dfsm_master cout_0_le_del dfsm_cout_l Je cout_l_le = 

It: time . 

(cout_l Je t = ~(dfsm_master t) A (dfsm_cout_l_le t) V (dfsm_master t) A (cout_0_le_del t))” 

);; 

Generation logic for iad_en signal. 

% 


let Iad_En_Logic_S PEC = new_definition 
( 4 Iad_EnJ^ogic_SPEC\ 

44 1 mfsm_iad_en_m sfsm_iad_en_s iad_en_s_del iad_en . 
lad_En_Logic_S PEC mfsm_iad_en _m sfsm_iad_en_s iad_en_s_dei iad_en = 
Itdme . 

(iad_en t = (mfsm_iad_ec_m t) V ( sfsm_iad_en_s t) V (iad_en_s_del t))” 

);; 


% 


% 

Generation logic for c^pe_cnt signal. 


let Pe_Cnt_Logic_SPEC = new_defimtion 
( 4 Pe_Cnt_Logic_SPEC 4 , 


106 



“! clkD (sfsm_sparity:time->bool) mfsm_mparity (cb_ss_in: time->wordn) c_j>e_cnt . 

Pe_Cnt_Log ic_S PEC clkD sfsm_spanty mfsm_mparity cb_ss_in c_pe_cnt = 

Ittime . 

(c_pe_cnt t = (clkD t) A 

(~((sfsm_sparity t) = (mfsm.mparity t)) V ((SUB ARRAY (cb_ss_in t) (1,0)) = WORDN 0)))" 

);; 


% 

Generation logic for c_grant, c_busy signals. 


let Gran t_Logic_S PEC = new_definition 
( < Grant_Logic_S PEC 4 , 

(id: time-> wordn ) (rqt_:time->wordn) busy grant . 

Grant_Logic_SPEC id rqt_ busy grant = 

Ittime . 

(busy t = -(ELEMENT (rqt_ t) (3)) V -(ELEMENT (rqt_ t) (2)) V -(ELEMENT (rqt_ t) (1))) A 
(grant t = ((SUB ARRAY (id t) (1 ,0)) = WORDN 0) A -(ELEMENT (rqt_ t) (0)) V 

((SUBARRAY (id t) (1,0)) = WORDN 1 ) A -(ELEMENT (rqt_ t) (0)) A (ELEMENT (rqt_ t) (1 )) V 
((SUB ARRAY (id t) (1,0)) = WORDN 2) A -(ELEMENT (rqt_ t) (0)) A (ELEMENT (rqt_ t) (1)) A 

(ELEMENT (rqt_t) (2)) V 

((SUBARRAY (id t) (1,0)) = WORDN 3) A -(ELEMENT (rqt_ t) (0)) A (ELEMENT (rqt_ t) (1)) A 

(ELEMENT (iqt_ t) (2)) A (ELEMENT (rqt_ t) (3)))” 

);; 


Generation logic for addressed signal. 


•% 


let Addressed_Logic_SPEC = new_definition 
(‘ Addres$ed_Logic_SPEC 4 , 

4 ‘! (id:time->wordn) (source: time-> wordn) addressed . 

Addressed_Logic_SPEC id source addressed = 

Ittime . 

(addressed t * ((ELEMENT (id t) (0)) = (ELEMENT (source t) (10))) A 
((ELEMENT (id t) (1)) = (ELEMENT (source t) (11))) A 
((ELEMENT (id t) (2)) « (ELEMENT (source t) (12))) A 
((ELEMENT (id t) (3)) = (ELEMENT (source t) (13))) A 
((ELEMENT (id t) (4)) = (ELEMENT (source t) (14))) A 
((ELEMENT (id t) (5)) = (ELEMENT (source t) (15))))” 

);; 


% 

Generation logic for Disable_writes signal. 


■% 


let D_Writes_Logic_S PEC = new_definition 
(‘ D_Writes_Logic_SPEC ‘ , 

“| dfsm_slave (chan_id:time->wordn) ( source :time-> wordn) disable_writes . 

D_Writes_Log ic_S PEC dfsm_slave chan Jd source disable_writes = 

Ittime . 

(disable_writes t = (dfsm_slave t) A -((ELEMENT (chan.id t) (0)) A (ELEMENT (source t) (6))) 

A -((ELEMENT (chan.id t) (1 )) A (ELEMENT (source t) (7))) 
A -((ELEMENT (chan_id t) (2)) A (ELEMENT (source t) (8))) 
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A -{(ELEMENT (chan.id t) (3)) A (ELEMENT (source t) (9))))" 




Generation logic for c_pe signal. 


let Parity_Decode_Logic_S PEC = new_de6 niton 
( ‘ Parity_Decode_Logic_SPEC 4 , 

“Irep cad_in cad_m_dec cad_in_dct . 

Pari ty_Decode_Logic_S PEC rep cad_in cad_in_dec cad_in_det = 
It: time . 

(cad_in_dec t = (Par_Dec rep (cad_in t))) A 
(cad_in_det t = (Par_Det rep (cad_in t)))” 


Input logic for C_parity latch. 

% 


let Parity_SignaLInputs_SPEC * new_defimtion 
( 4 Parity_SignalJtaputs_SPEC 4 * 

44 1 rst cad_in_det clkD c_pe_cnt reset_parity 
c_parity_inS c_parity_inR c_parity_inE . 

Parity _S ignal_Inputs_S PEC rst cad_in_det clkD c_pe_cnt reset_parity 
c_parity_inS c_parity_inR c_parity_inE = 

It time . 

(c_parity_inS t = (cad_in_det t) A (clkD t) A (c_pe_cnt t)) A 
(c_parity_inR t = (rst t) V (reset_parity t)) A 
(c_parity_inE t = (c_parity_inS t) V (c_parity_inR t))” 

);; 


% 

C-Bus input latches. 


let CB_In_Latches_SPEC = new_definition 
(‘CB Jn_Latcbes_SPEC\ 

“I clkA clkB rst (cad_in_dec:time->wordn) cin_0_le cin_l_le cin_2_le cin_3_le cin_4_le 
(source: time- > wo rdn) (sizewrbe:time->wordn) iad_preout 
c_source c_data_in c_sizewrbe c_iad_preout . 

CB_In_Latches_SPEC clkA clkB rst cad_in_dec cin_0_le cin_l_le cin_2_le cin_J3_le cin_4_le 
source sizewrbe iad_preout 
c__source c_data_in c_sizewrbe c_iad_preout = 

Ittime . 

((clkA t) => 

((c_source (t+1 ) = c_source t) A 
(c_data_in (t+1 ) = c_data_in t) A 
(c_sizewrbe (t+1) = c_sizewrbe t) A 

(c Jad_j>reout (t+1) = (cin_2 Je t) => (c_data_in t) I (c_iad_preout t)))) A 
((clkB t) => 

((c_source (t+1 ) = (rst t) => WORDN 0 1 

(cin_3_le t) => (cad_in_dec t) I 
(c_souroe t)) A 
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(c_data_in (t+1) = (ret t) => MALTER (c_data_in t) (31,16) (WORDN 0) I 

((cin_l_le t) A (~cin_0_le t)) => MALTER (c_data_in t) (31,16) (cad_in_dec t) I 
(c_data_in (t+1))) A 

(c_data_in (t+1) = (rst t) => WORDN 0 1 

((cin_0_le t) A (-cin_l Je t)) => MALTER (c_data_in t) (15,0) (cad_in_dec t) I 

(c_data_in (t+1))) A 

(c_sizewrbe (t+1) = (rst t) =» WORDN 0 1 

(cin_4Je t) => SUBARRAY (c_data_in t) (31,22) I 
(c_sizewrbe t)) A 

(c_iad_preout (t+1) = (cJad_preout t)))) A 
((source t = c_source (t+1)) A 
(sizewrbe t = c_sizewrbe (t+1)) A 
(iad_preout t = c_iad_preout (t+1)))'* 

);; 


% 

Generation logic for I_be_out_ signal. 




let BE_Out_Logic_SPEC = new_definition 
(‘BE_Out_Logic_SPEC 1 , 

“! (sizewrbe: time->wordn) hlda be_out . 

BEJ3ut J>ogic_SPEC sizewrbe hlda be_out = 

!t:tiine . 

((hlda t) => (be_out t = SUB ARRAY (sizewrbe t) (9,6)))” 

);; 

Generation logic for write signal. 

% 


let Write Jx)gic_SPEC = new_definition 
( * Write_Logic_SPEC ‘ , 

«! clkA clkB (iad_in:lime->wordn) sizewrbe cale_ master_tran C_wr write . 
Write_Logic_SPEC clkA clkB iad_in sizewrbe cale_ master_tran C_wr write = 


!t:time . 

((clkA t) => C_wr (t+1) = C_wr t) A 

((clkB t) => C_wr (t+1 ) = (~cale_ t) => (ELEMENT (iad.in t) (27)) I C_wr t) A 
(write t = (master Jran t) => (C_wr (t+1)) I (ELEMENT (sizewrbe t) (5)))” 


);; 


% 

C-Bus output latches. 


— % 


let CB_Out_Logic_S PEC = new_definidon 
(‘CB_Out_Logic_SPEC‘ , 

«| rep clkA clkB (iad_in:time->wordn) (ccr:time->wordn) dfsm_cout_0Je coutj Je mfsm_mrequest cout_sel cad_preout 
CJad_in C_ala0 C_a3a2 . 

CB_Out_Logic_SPEC rep clkA clkB iad_in ccr dfsm_cout_0Je cout_l Je mfsm_mrequest cout_sel cad_preout 
CJad_in C_ala0 C_a3a2 = 

It: time . 

((clkA t) ==> 

((CJad_in (t+1) = C_iad_m t) A 
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(C_alaO (t+1 ) = (cout_l_le t) => (C_iad_in t) I (C_alaO t)) A 
(C_a3a2 (t+1) = (mfsm_mrequest t) => (ccr t) I (C_a3a2 t)))) A 
((cikB t) => 

((C_iad_in (t+1) = (dfsm_cout_0_le t) => (iad_in t) I (C_iad_in t)) A 
(C_alaO (t+1) = C_alaO t) A 
(C_a3a2 (t+1) = C_a3a2 t))) A 

(cad_preout t = ((cout.scl (t+1)) = WORDN 0) => (ParJEnc rep (SUBARRAY (C_ala0 (t+1)) (15,0))) I 
((counsel (t+1)) = WORDN 1)=> (Par_Enc rep (SUBARRAY (CjilaO (t+1)) (31,16))) I 
((cout.sel (t+1)) = WORDN 2) => (Par.Enc rep (SUBARRAY (C_a3a2 (t+1)) (15,0))) I 

(Par.Enc rep (SUBARRAY (C_a3a2 (t+1)) (31,16))))” 


% — 

C-Poit Block. 


% 


let C_Block_SPEC = new_definition 
( 4 C_Block_SPEC‘, 

“! (C_mfsm_stateA C_mfsm_state :tune->cmfsm_ty) 

(C_sfsm_stateA C_sfsm_state :time->csf&m_ty) 

(C_efsm_stateA C_ef sm_state :time->cefsm_ty) 

(C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_alaO C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss 
C_source C_data_in C_iad_in :time->wordn) 

(C_mfsm_m abort C„mfsm_midle C_mfsm^mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal 
C_mfsm_maO C_mfsm_mdl C_mfsm_mdO C_mfsm_iad_en_m C_mfsm_m_cout_sel 1 C_mfsm_m_cout_seK) 
C_mfsm_rqt_ C_mfsm_cgDt_ C_mfsm_cm_en C_mfsm_abort_le_en_ C_mfsm_mparity 
C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO 

C_sfsm_sale C_sfsm_sdl C_sfsm_sdO C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_selO C_sfsm_sparity 
C_efsm_srdy_en 

C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_ C_boldA_ C_rd_srdy C_cout_0_le_delA 
C_cin_2_leA C_mrdy_deLA_ C_iad_en_s_delA C_wrdy A C.rrdyA 
C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm jst C_mfsm_busy C_mfsm_write 
C_mfsm_crqt_ C_mfsm_hold_ C_mfsm_last_ C_mfsm_k>ck_ C_mfsm_invalid 
C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_wnte C_sfsm_addressed C_sfsm_hlda_ 

C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_ln_ C_last_out_ 

C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy 
C _jrdy C_parity :time->bool) 

(T_mndy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock^_ I_cale_ I_hlda_ I_crqt_ 

Rgt ClkA ClkB ClkD Pmm_failure Piu_m valid Reset_error :time->bool) 

(I_ad_in I_be_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannellD Ccr :time->wordn) 

(I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_ CB_rqt_out_ 

Disable_writes CB ^parity :time->bool) 

(I_ad_out I_be_out„ CB_ms_out CB_ss_out CB_ad_out C_ss_out :time->wordn) 

(rep: A rep_ty) . 

C_Block„SPEC (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest > C_mfsm_ma3, C_mfsm_ma2, 

C_mfsm_mal, C_mfsm_maO, C_mf sm_md 1 , C_mfsm_mdO, C_mfsm_iad_ea_m, Cjnfsm_m_cout_sell, 
C_mfsm_m_cout_selO, C_mfsm__ms, Cjnfsm_rqt_, C _jnfsm_cgot_, C_mfsm_cm_en , 

C_mfsm_abort _le_en_, C_mfsm_mparity, 

C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sal , 

C_sfsm_saO, C_sfsm_sale, C_sfsm_sdl , C_sfsm_sdO, C_s fsm_6ack , C_sfsm_sabort, 
C_sfsm_s_cout_selO, C_sfsm_sparity, C_efsm_stateA, C_ef sm_srd y_en , 

C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA_, C_ssA, C_h°WA_, C_rd_srdy, 

C_cout_0_le_delA, C_cin_2_leA, C_mrdy_delA_, C_iad_en_s_deLA, C_wrdyA, C_rrdyA, C_iad_out, 
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C_alaO, C_a3a2, 

C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsmJ>usy, 
C_mfsm_ write, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, 
C_mfsm_invalid, 

C_sfsm_state, C_sfsm_D, C sfsm grant, C_sfsm_rst, C_sfsm_wnte, C_sfsm_addressed, 
C_sfsm_hlda_, C_sfsm_ms, 

C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, 
C_efsm_rst, 

C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, CJastJn_, CJock_in_, C_ss, 
CJast_out_, C_bold_, C_cout_0 _le_del, C_cin_2_le, C_mrdy_del_, C Jad_en_s_del, C_wrdy, 
C_ndy, C_panty, C_source, C_data_m, C JadJn) 

(I_ad_m, I_be_w_, I_mrdy_in_, I_rale_in_, Lmale_in_, I_last_in_, I_srdy_in_, 

I_lock_, I_cale_, I_hlda_, I_crqt_, 

CB_rqt_in_, CB_ad_m, CB_ms_in, CB_ss_in, 

Rst, ClkA, ClkB, ClkD, Id, ChannellD, Pmm.failure, Piujnvalid, Ccr, Reset_error) 

(I_cgnt_, I_mrdy_out_, I_bold_, I_rale_out_, I_male_out_» I_last_out_, I_.srdy_out._j 
I_ad_out, I_be_out_, 

CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable__writes l CB^parity) 


rep = 


? (grant busy mfsm_mabort mfsm_midle mfsm_mrequest mfsm_ma3 mfsm_ma2 mfsm_mal mfsm_maO 
mfsm_mdl mfsmjmdO mfsm_iad_en_m mfsm_m_cout_sel 1 mf sm_m_co u t_selO mfsm_cm_en 
mfsm_abort_le_en_ mfsm_mparity sfsm_iad_en_s sfsm_sidle sfsm_slock sfsm_sal sfsm_saO 
sfsm.sale sfsmjjdl sfsm_sdO sfsm_sack sfsm_sabort sfsm_s_cout_selO sfsm_sparity 
efsm_srdy_en dfsm_master dfsm_slave dfsm_cm_0_le dfsm_cin_l_le dfsm_cin__3_Ie 
dfsm_cin_4 Je dfsm_cout_0_le dfsm_cout_l_le dfsm_cad_en_ dfsm_male_ dfsm_rale_ 
dfsm_mrdy_ last_in_inB last_in_outQ lock_in_inE lock_in_outQ clkA_outQ 
last_out_inS last_out_inR last_outJnE last__out_outQ sstatus_en_ sidle_del_outQ 
mrqt_del_outQ mstatus_en_ dfsm_srdy write wrdy_inD wrdy_outQ rrdy_inD rrdy_outQ 
wrdyA.outQ rrdyA.outQ i_srdy_en isrdy_inD isrdy_inE cout_OJe_del_out cin__2_le__out 
cout_l_le mrdy_del_out iad_en_s_del_outQ iad_en c_pe__cnt addressed cin_2_le 
in_det c_parity_inS c_parity_inR c_parity_inE hlda :time->bool) 

(mfsm_ss mfsm_ms sfsm_ss counsel cad_in_dec source size wr be iad_preout cad_preout :time->wordn) . 

(OR2_SPEC Rst mfsm_mal lock_in_inE) A 

(DRELAT.SPEC I_lock_ Rst lock_m_inE ClkB C Jock_in_ lockJn.outQ) A 
(Last_Logic Rst ClkD mfsm_mdl mfsm_mabort last_in_inE) A 

(DREFF.SPEC I_last_in_ last Jn_inE Rst ClkB C Jast _inA_ CJastJn_ last_in_outQ) A 
(DEFFn_SPEC mfsm_ss mfsm.abort _le__en_ ClkB C_ssA C_ss C_ss_out) A 
(DFF_SPEC ClkD ClkA C_clkA C_clkAA clkA_outQ) A 

(Hold__Logic CB_ms_in ClkD sfsm_sal last_out_inS last_out_inR last_out_mE) A 

(DSRELAT_SPEC GND last_out_mS last_out_inR last_out_inE ClkB CJast_out_ last_out_outQ) A 

(TRIBUF.SPEC last_out_outQ hlda I _last_out J A 

(OR2_SPEC sfsm_sidle sfsm_sabort sstatus_en_) A 

(DFF_SPEC sfsm_sidle ClkA C_sidle_del C_sidle_delA sidle_del_outQ) A 

(DFF_SPEC mfsm jnrequest ClkA C_mrqt_del C_mrqt_delA mrqt_del_outQ) A 

(Cout_Sel_Logic_SPEC sfsm_s_cout_selO mfsm _m_cout_sell mfsm_m_cout_selO sfsm_sdO sfsm_sdl cout_sel) A 
(NOT_SPEC mfsm_cm_en mstatus_en_) A 

(DEFF.SPEC sfsm.sidle ClkD ClkA C_hold_ C_holdA_ I.holdJ A 
(Srdy_In_Log ic_S PEC CB_ss_in dfsm_srdy) A 

(Rdy_Logic_SPEC mfsm.mdO mfsm.mdl ClkD write dfsm_srdy wrdy_inD rrdyJnD) A 
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(DLXT_SPEC wrdy_tnD ClkB C_wrdy wrdy_outQ) A 
(DLAT_SPEC irdy_inD ClkB Cjrdy rrdy_outQ) A 
(DLAT_SPEC wrdy_outQ ClkA C_wrdyA wrdyA_outQ) A 
(DLATJ5PEC rrdy_outQ ClkA C_rrdyA rrdyA_outQ) A 

(ISrdy_Out_Logic_SPEC wrdyA_outQ rrdyA_outQ mfsm_mabort I_cale_ i_srdy_en isrdy JnD isrdy_inE) A 

(TRIBUF_SPEC isrdy _inD isrdy _inE I_srdy_outJ A 

( CB ss_Out_Log ic_S PEC sfsm_ss Pmmjailure Piu_invalid CB_ss_out) A 

(DFF_SPEC dfsm_cout_OJe ClkA C_coutJ)Je_del C_cout_OJe_delA cout_OJe_del_out) A 

(DFFJ5PEC dfsm_cin_0_le ClkA C_cin_2Je C_cin_2_leA cin_2_le_out) A 

(Cout_l_Lc_Logic_SPEC dfsm_master co u t_0 Je_del_o u t dfsm_cout_l_le cout_l_le) A 

(DFFJSPEC dfsm_mrdy_ ClkA C_mrdy_del_ C_mrdy_delA_ mrdy_del__out) A 

(NOT_SPEC Lhlda_ hlda) A 

(TRIBUF_SPEC dfsm_male_ hlda I_male_out_) A 

(TRJBUF_SPEC dfsm_rale_ hlda I_rale_out_) A 

(TRIBUF_S PEC mrdy_del_out hlda I_mrdy_out_) A 

(DEFF_SPEC sfsmjad_en_s ClkD ClkA CJad_en_s_del CJad_en_s_delA iad_en_s_del_outQ) A 
( Iad_En_Log ic_S PEC mfsmjad_en_m sfsm_iad_en_s iad_en_s_del_outQ iad_en) A 
(CBms_Out_Logic_SPEC mfsm_ms Pmm_failure Piu_in valid CB_ms_out) A 
(Pe_Cnt_Logic__SPEC ClkD sfsm__sparity mfsm_mparity CB_ss_in c_pe_cnt) A 
(Grant Jx>gic_SPEC Id CB_rqtJn_ busy grant) A 
(Addressed Jx>gic_SPEC Id C_source addressed) A 

(D_Writes_Logic_SPEC dfsm_slave ChannellD C_source Disable_writes) A 
(Parity _Decode_Logic_SPEC rep CB_ad_in cad_in_dec cad_in_det) A 
( Parity _S ign al_In puts_S PEC Rst cad Jn_det ClkD c _pe_cnt Reset_error 
c_parity_inS c_parityJnR c_parityJnE) A 

(DSRELAT_SPEC GND c_parity_inS c_parity_inR c_parityJnE ClkB C ^parity CB_parity) A 
(CB Jn_Latches_SPEC ClkA ClkB Rst cad_in_dec dfsm_cinj)je dfsm_cinj Je cin_2Je dfsm_cin_3 Je 
dfsm_cin_4Je source sizewrbe iad_preout 
C_source C_datajn C_sizewibe C Jad_out) A 
( B E_Out_Log ic_S PEC sizewrbe hlda IJ>e_outJ A 
(TRIBUF_SPEC iad_preout iad_en I_ad_out) A 

(Write_Logic_S PEC ClkA ClkB I_adjn sizewrbe I_cale_ mfsm_cm_eo C_wr write) A 

(CB_Out_Logic_S PEC rep ClkA ClkB I_ad_in Ccr dfsm_coutJ)Je cout J Je mfsm_mrequest cout_sel cad_preout 
CJadJn C_alaO C_a3a2 ) A 

(TRIBUF_SPEC cad_preout dfsm_cad_en_ CB_ad_out) A 
(CMFSM_SPEC ClkA ClkB cfsm_srdy_en ClkD grant Rst busy write 

I_crqt_ I_hold_ last Jn_outQ lock_in_outQ CB_ss_in Piu Jnvalid 

C_mfsm_state C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C _jnfsm_rst C_mfsm_busy C_mfsm_wnte 
C_mfsm_crqt_ C_mfsm_hold_ C_mfsmjast_ C_mfsmJock_ C_mfsm_ss C_mfsm Jnvalid 
C_mfsm_stateA C_mf sm_m abort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 
C_mfsm_mal C_mfsm_maO C_mfsm_mdl C_mfsm jndO C _jnfsmjad_en_m C_mfsm_m_cout_sel 1 
C_mfsm_m_co ut_selO C_mfsm_ms C_mfsm_rqt_ C^mfsm_cgnt_ C_mfsm_cm_en 
C_mfsm_abort_le_en_ C_mfsm_mparity 

mfkm mahort m fsm midl e mfsm_mrequest mfsm_ma3 mfsm_ma2 mfsm_mal mfsm_maO 
mfsm_md 1 mfsm_mdO mfsmjad_en_m mf sm_m_cout__sel 1 mfsm_m_cout_selO mfsm_jns 
CB_rqt_out_ I_cgnt_ mfsm_cm_en mfsm_abortJe_en_ mfsm_mparity) A 
(CSFSM_SPEC ClkA ClkB ClkD grant Rst write addressed I_hlda_ CB_msJn 

C_sfsm_state C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed 
C_sfsm_hlda_ C_sfsm_ms C_sfsm_stateA C_sfsm_ss C_sfsmJadjen_s C_sfsm_sidle 
C_sfsm_slock C_sfsm_sal C_sfsm_saO C_sfsm_sale C_sfsm_sdl C_sfsm_sdO C_sfsm_sack 
C_sfsm_sabort C_sfsm_s_cout_selO C_sfsm_sparity 

sfsm_ss sfsmJad_eo_s sfsm_sidle sfsm_slock sfsm_sal sfsm_saO sfsm_sale 
sfsm_sdl sfsm_sdO sfsm_sack sfsm_sabort sfsm_s_cout_seIO sfsmjsparity) A 
(CEFSM_SPEC ClkA ClkB I_cale_ I_last_in_ I_malejn_ I_rale_in_ I_srdy_in_ Rst 
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C_efsm_state C_efsm_cale_ C_efsm_last_ C_efsm_tnale_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_efsm_stateA C_efsm_srdy_en efsm_srdy_en) A 
(CDFSM SPEC dfsm_srdy ClkD clkA_outQ write sizewrbe sfsm_sid!e sidle_del_outQ sfsm_slock 

sfsm_sal sfsm_saO sfsm_sale sfsm_sd 1 sfsm_sdO sfsm_sack mfsm_midle mrqt_del_outQ 
mfsm_ma3 mfsm_ma2 mfsm_mal mfsm_maO mfsm_mdl mfsm_mdO I_cale_ I_srdy_in_ 
dfsm_master dfsm_slave dfsm_cin_0_le dfsm_cin_l Je dfsm_cin_3_le dfsm_cin_4_le 
dfsm_cout_0_le dfsm_cout_l Je dfsm_cad_en_ dfsm_male_ dfsm_rale_ dfsm_mrdy J” 


close_theory();; 
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B.5 SU_Cont Specification 


% 


File: 

s_blockjnl 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This hie contains the ml source for the gate-level specification of the startup controller of 

the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory; Boeing High Technology Center. 


set_searcb_path (search_path() @ [ ‘ /h ome/ti tan 3/ dfura/f tep/pi u/ho 1/li h/ ‘ 
system ‘rm s_block.tb 4 ;; 
new_tbeory ‘s_block‘;; 

map new_parent [ ‘ g ates_def ; 1 latches_def ; ‘ ffs_def‘ ; * co unters_def ; ‘ saux_def‘ ; 4 aux_def ; 4 array_def ; 4 wordn_def 4 ] ; ; 

let s_state_ty = 44 :(sfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool# 
bool#bool#wordD#wordn#bool#bool# 
sfsm_ty#bool#bool#bool#bool#bool# 

bool#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool)”;; 
let s_state = 4 ‘((S_fsm_stateA, S_fsm__sn, S_fsm_so, S_fsm__srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0 1 S_fsm_srcl, 
S_fsm_spf, S_fsm_scOf, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, 
S_fsm_scs, S_soft_shot 1 S_soft_shot_deLA, S_soft_cntA, S_delayA, S_instart, S_cpu__histA, 
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsm_bothbad, S_fsm_bypass, 
S_soft_shot_del, S„soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S_reset_cpuO, S_reset_cpu 1 , 
S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_cpu_hist S_piu_fail) 

: A s_state_ty)”;; 

let s_env_ty = “:(bool#bool#bool#bool#bool#bool#bool#bool#bool)”;; 

let s_env = 44 ((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failure 1_) 

: A s_euv_ty)”;; 

let s_out_ty = 4 ‘:(wo^dI>#booJ#bc>ol#bool#t>ool#boo^#bool#boo^#bool#bool#bool)’^; 

let s_out = 44 ((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpuO, Reset_cpul, Cpu_hist, 

Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail) 

: A «_out_ty ; ; 


% 

Input logic for S_soft_shot latch. 


let Scnt_In_SPEC = new_definition 
( 4 ScntJn_SPEC\ 

44 1 gcrh gcrl soft_sbot_inD soft_cnt_inL . 
Scnt_In_SPEC gcrh gcrl soft_shot_inD soft_cnt_inL = 
(! ttime . (soft_sbot_inD t = -gcrh t A gcrl t) A 
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(soft_cnt_inL t = ~gcrh t A ~gcrl t))” 

);; 

% 

Input logic for S_soft_cnt counter. 


let Scnt_Inl_SPEC = new_definition 
( 4 Scnt_Inl JSPEC 4 , 

-I soft_shot_outQ soft_shot_del_outQ soft_cnt_inU . 

ScntJnl.SPEC soft_shot_outQ sofLshot_del_outQ soft_cnt_inU = 

(! ttime . (soft_cnt_inU t = soft_shot_outQ t A ~soft_shot_del_outQ t))” 


% 

Input logic for S_delay counter. 


— % 


let Delay_In_SPEC = new_definition 
(* Delay_In_SPEC \ 

“! scpustart delay reset_cnt delay_inR . 

Delay _In_SPEC scpustart delay reset_cnt delay_inR = 

(I ttime . (delay.inR t = scpustart t A (ELEMENT (delay t) (6)) V reset_cnt t))” 

);; 


% 

Delay counter output multiplexers. 


let Muxes_SPEC = new_definition 
( 4 Muxe$_SPEC\ 

“I (delay: dme->wordn) test instart_inD delay 17 . 

Muxes_SPEC delay test instart_inD delay 17 = 

(It: time . (instait_inD t = (test t) => ELEMENT (delay t) (5) I ELEMENT (delay t) (16)) A 
(delay 17 t = (test t) => ELEMENT (delay t) (6) I ELEMENT (delay t) (17)))” 

);; 


% 

Generation logic for Disable_int output 


-% 


let Dis_Int_Out_SPEC = new_definition 
( 4 Dis_Int_Out_S PEC 4 , 

44 ! instart normal delay disable_int_in disable_int_out . 

Dis_Int_Out_SPEC instart normal delay disable_int_in disable _int_out = 

(I ttime . (disable_int_out t = -instart t A -(normal t A (ELEMENT (delay t) (6)) A disable_int_in t)))” 

);; 


Input logic for S_bad_cpuO, S_bad_ c P u l latches. 


■% 


let Bad_Cpu_In_SPEC = new_definition 
( 4 Bad_Cpu_In_SPEC 4 , 
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“I normal operation cpuO_fail cpul_fail begin 
bad_cpuO_inS bad_cpuO_inR bad_cpuO_mE 
bad_cpul_inS bad_cpul_mR bad_cpul_mE . 

B ad_Cpu_In_S PEC normal operation cpuO_fail cpul_fail begin 
bad_cpuO_inS bad_cpuO_inR bad_cpuO_inE 
bad_cpul_inS bad_cpul_inR bad_cpul_inE = 

(! ttime . (bad_cpuO_inS t = begin t) A 

(bad_cpuO_inR t = (normal t V operation t) A ~cpuO_fail t) A 
(bad_cpuO_inE t = begin t V (normal t V operation t) A ~cpuO_fail t) A 
(bad_cpul_inS t = begin t) A 

(bad_cpu l_inR t = (normal t V operation t) A cpuO_fail t A ~cpul_fail t) A 
(bad_cpul_inE t = begin t V (normal t V operation t) A cpuO__fail t A ~cpul_fail t)) M 


% 

Generation logic for local signals cpuO_ok, cpul_ok. 


let Cpu_Ok_SPEC = new_defimtion 
(CpuOk_SPEC\ 

“I soft_cnt cpuO_fail cpul_fail failureO_ failure 1_ cpuO_ok cpul_ok . 
Cpu_Ok_SPEC soft_cnt cpuO_fail cpul_fail failureO_ failure 1_ cpuO_ok cpul_ok = 
(! ttime . (cpuO_ok t = ((soft_cnt t) = WORDN 5) A cpuO_fail t A failureO_ t) A 
(cpul_ok t = ((soft_cnt t) = WORDN 5) A cpul_fail t A failure 1_ t))” 

);; 


Input logic for S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_piu_fail latcbes. 

1 % 


let FaiLlQ-SPEC = new_definition 

(‘FaiLIn_SPEC\ 

“I begin pmm_fail piu_fail bypass cpuO_ok cpul_ok 

pmm_fail_inS pmm_fail_inR pmm_fail_inE cpuO_fail_inS cpuO_fail_inR cpuO_fail_inE 
cpul_faiLinS cpul_fail_inR cpul_fail_inE piu_fail_inS piu_fail_inR piu_fail_jnE . 

Fail_In_SPEC begin pmm_fail piu_fail bypass cpuO_ok cpul_ok 

pmm_fail_inS pmm_faiLinR pmm_fail_inE cpuO_fail_inS cpuO_fail_inR cpuO_fail_inE 
cpul_fail_inS cpul_fail_inR cpul_fail_inE piu_fail JnS piu_fail_inR piu_fail_inE = 

(1 ttime . (pmm_fail_inS t = begin t) A 

(pmm_fail_inR t = pmm_fail t) A 
(pmm_faiLinE t = begin t V pmm_fail t) A 
(cpuO_fail_inS t = begin t) A 
(cpuO_fail_inR t = bypass t V cpuO_ok t) A 
(cpuO_fail_inE t = begin t V bypass t V cpuO_ok t) A 
(cpul_fail_inS t = begin t) A 
(cpul_fail_inR t = bypass t V cpul_ok t) A 
(cpul_fail_inE t = begin t V bypass t V cpul_ok t) A 
(piu_fail_inS t = begin t) A 
(piu_fail_inR t = bypass t V piu_fail t) A 
(piu_fail_inE t = begin t V bypass t V piu_fail t))” 


% 

Startup-controller controller state machine. 
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let FSM_SPEC = new_definition 
(*FSM_SPEC\ 

“I clkA clkB rst_m delay_in delay 17_in bothbad_in bypass_in 
state rst delayb delay 17 bothbad bypass 

stateA sn so srcp sdi srp srcO srcl spf scOf self spmf sb sre sec srs sc s 
stateA_out sn_out so_out srcp_out sdi_out srp_out srcO_out srcl_out spf_out 
scOf_out sclf_out spmf_out sb_out src_out sec_out srs_out scs_out . 

FSM_SPEC clkA clkB rstjn delay_in delay 17_in bothbad Jn bypass Jn 
state rst delay6 delayl7 bothbad bypass 

stateA so so srcp sdi srp srcO srcl spf scOf self spmf sb sre sec srs scs 
stateA_out sn_out so_out srcp_out sdi_out srp_out srcO_out srcl_out spf_out 
scOf_out sclf_out spmf_out sb_out src_out sec_out srs_out scs_out = 


It: time. 

((clkA t) => 

((state (t+1) = state t) A 
(rst (t+1) = rst t) A 
(delay6 (t+1) = delay6 1) A 
(delay 17 (t+1) = delayl7 t) A 
(bothbad (t+1) = bothbad t) A 
(bypass (t+1) = bypass t) A 
(stateA (t+1) = 

((rst t) => S START I 
((state t) = SSTART) => SRA I 

((state t) = SRA) => ((delayb t) => ((bypass t) => SO I SPF) I SRA) I 

((state t) = SPF) => SCOI I 

((state t) = SCOI) => ((delay 17 1) => SCOF I SCOI) I 

((state t) = SCOF) => ST I 

((state t) = ST) => SC1I I 

((state t) = SC1I) => ((delay 17 t) => SC1F I SC1I) I 
((state t) = SClF)=>SSi 
((state t)= SS) => ((bothbad t) => SSTOP I SCS) I 
((state t) = SSTOP) => SSTOP I 
((state t) = SCS) => ((delay6 t) => SN I SCS) I 
((state t) = SN) => ((delayl7 t) => SO I SN) I SO)) A 
(sn (t+1) = (stateA (t+1) = SN)) A 
(so (t+1) = (stateA (t+1) = SO)) A 

(srcp (t+1) = ((-(stateA (t+1) = SO) A “((state t) = SSTOP)) V ((state t) = SRA))) A 
(sdi (t+1) = ((“(stateA (t+1) = SO) A -((state t) = SSTOP)) V ((state t) = SRA))) A 
(srp (t+1) = ((stateA (t+1) = SSTART) V (stateA (t+1) = SRA) V (stateA (t+1) = SCOF) V 
(stateA (t+1) = ST) V (stateA (t+1) = SC1F) V (stateA (t+1) = SS) V 
(stateA (t+1) = SCS))) A 

(srcO (t+1) = (-(stateA (t+1) = SPF) A -(stateA (t+1) = SCOI))) A 

(srcl (t+1) = (-(stateA (t+1) = ST) A -(stateA (t+1) = SC1I))) A 

(spf (t+1) = (((state t) = SRA) A (delay6 1) A -(rst t))) A 

(scOf (t+1) = (stateA (t+1) = SCOF)) A 

(self (t+1) = (stateA (t+1) = SC1F)) A 

(spmf (t+1) = (stateA (t+1) = SO)) A 

(sb (t+1) = (stateA (t+1 ) = SSTART)) A 

(sre (t+1) = ((stateA (t+1) = SSTART) V (((state t) = SRA) A (delay6 1)) V 

(stateA (t+1) = SCOF) V (stateA (t+1) = ST) V (stateA (t+1) = SC1F) V 
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(state A (t+1) * SS) V (((state t) = SCS) A (delay6 t)))) A 
(sec (t+1) = (HstateA (t+1) = SSTOP) A -(stateA (t+1) = SO)) V ((state t) = SN))) A 
(srs (t+1) = ((((state t) = SPF) A ~(rst t)) V (((state t) = ST) A -(rst t)))) A 
(scs (t+1) = (stateA (t+1) = SCS)))) A 
((clkB t) => 

((state (t+1 ) = stateA t) A 
(rst (t+1 ) = rst_in t) A 

(delay6 (t+1 ) = ELEMENT (delay Jn t) (6)) A 

(delayl7 (t+1) = delayl7_in t) A 

(bothbad (t+1 ) = bothbad_in t) A 

(bypass (t+1) = bypass_in t) A 

(sn (t+l) = sn t) A 

(so (t+1) = so t) A 

(srep (t+1) = srep t) A 

(sdi (t+1) = sdi t) A 

(srp (t+1) » sip t) A 

(srcO (t+1) = srcOt) A 

(srcl (t+1) = srcl t) A 

(spf (t+1) = spf t) A 

(scOf (t+1) = scOf t) A 

(self (t+1) = self t) A 

(spmf (t+1 ) = spmf t) A 

(sb (t+ 1 ) = sb t) A 

(sre (t+1) = sic t) A 

(sec (t+1) = sec t) A 

(srs (t+1) = srs t) A 

(scs (t+1) = scs t))) A 

((let aO = (ALTER (stateA_out t) (0) 

((stateA (t+1) = SRA) V (stateA (t+1) = SPF) V (stateA (t+1) * ST) V 
(stateA (t+1) = SC1I) V (stateA (t+1) - SCS) V (stateA (t+1) = SN) V 
(stateA (t+1) = SO))) 
in 

(let al = (ALTER aO (1) 

((stateA (t+1) = SPF) V (stateA (t+1 ) = SCOI) V (stateA (t+1) = SCOF) V 
(stateA (t+1) = ST) V (stateA (t+1) = SSTOP) V (stateA (t+1) = SO))) 
in 

(let a2 = (ALTER al (2) 

((stateA (t+1) = SCOF) V (stateA (t+1) = ST) V (stateA (t+1) = SC1I) V 
(stateA (t+1) = SC1F) V (stateA (t+1) = SS) V (stateA (t+1) = SSTOP) V 
(stateA (t+1) = SCS))) 
in 

(let a3 = (ALTER a2 (3) 

((stateA (t+1) = SS) V (stateA (t+1) = SSTOP) V (stateA (t+1) = SCS) V 
(stateA (t+1) = SN) V (stateA (t+1) = SO))) 
in 

(stateA_out t = a3))))) A 
(sn_out t = sn (t+1)) A 
(so_out t = so (t+1 )) A 
(srcp_out t = srep (t+1)) A 
(sdi_out t = sdi (t+1)) A 
(srp_out t = srp (t+1 )) A 
(srcO_out t = srcO (t+1)) A 
(srcl_out t = srcl (t+1)) A 
(spf_out t = spf (t+1 )) A 
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(scOf_out t = scOf (t+l» A 
(sclf_out t = self (t+1)) A 
(spmf_out t = spmf (t+1 )) A 
(sb_out t = sb (t+1)) A 
(src_out t - sre (t+1)) A 
(sec_out t = sec (t+ 1 )) A 
(srs_out t = srs (t+1)) A 
(scs_out t = scs (t+1))) 


% 

Startup controller block. 


■% 


let S_Block_SPEC = new_definition 
( 4 S_Block_SPEC 4 , 

44 ! (SJsm_stateA S_fsm_state :(time->sfsmjy)) 

(S soft cntA S.delayA S_soft_cnt S_delay :(time->wordn)) 

(Slfsmlsn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_srcO S_fcm_srcl S_fsm_spf S_fsm_scOf 
S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs 
S_soft_shot S_soft_shot_delA SJnstait S_cpu_histA 

S_fsm_rst S_fsm_delay6 S_fsm_delayl7 S_fsm_bothbad S_fsm_bypas* 

S_soft_shot_del S_bad_cpuO S_bad_cpul S_reset_cpuO S_reset_cpul S_pmm_fail S_cpuO_fail S_cpul_fail 
S_piujail S__cpu_hist :(time->bool)) 

(ClkA ClkB Rst Bypass Test Gcrh Gcri FailureO_ Failure 1_ :(time->bool)) 

(S_stafce :(time->wordn)) 

(Reset_cport Disable_mt Reset_piu Reset_cpuO Reset_cpul Cpujiist Piujail CpuO_fail Cpul_fail 
Pmm_ fail :(time->bool)) . 

S_Block_SPEC (S Jsm_stateA, S_fsm_sn, S Jsm_so, SJsm.srcp, SJsm_sdi, SJsm.srp, S Jsm.srcO, S Jsm_srcl, 
S_fsm_spf, S_fsm_scOf, S_fsm_sclf, SJsm_spmf, S Jsm_sb, SJsm.src, SJsmjsec, S_fsm_srs, 

S Jsm_scs, S_soft_shot, S jioft_shot_delA, S jsofLcntA, S.delayA, SJnstait, S_cpu_histA, 

S Jsm_state, S Jsinjst, S Jsm_delay6, SJsm_delayl7, SJsmJ>othbad, SJsmJ>ypass, 
S_soft_shot_del, S„soft_cnt, S_delay, S_bad_cpuO, SJ)ad_cpul, S_reset_cpuO, S_reset_cpul, 
S_pmm_fail, S_cpuO_fail, S.cpul Jail, S_cpu_hist, S^piujail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failurel J 

(S_state, Reset.cport, Disable_int, Reset_piu, Reset_cpuO, Reset_cpul, Cpu_hist, 

Piu Jail, CpuOJail, Cpul Jail, Pmmjail) = 

(It: time . 

? fsm_delay 17 fsmjjothbad 

fsm_sn fsm_so fsm_sdi fsm_srcO fsm_srcl fsm_spf fsm_scOf fsm_scl f fsm_spmf fsm_sb 

fsm_src fsm_sec fsm_srs fsm_scs NC 

soft_shot_inD soft_shot_outQ soft_shot_del_outQ 

soft_cnt_inL soft_cutJnU soft_cntJnR soft_cnt_outQ 

delay JnL delay JnU delay_inR delay.outQ mstart_inD instart_outQ 

bad.cpuOJnS bad_cpuO_inR bad_cpuOJnE bad_cpuO_outQ reset_cpuO_inD 

bad_cpul JnS bad_cpul JnR bad_cpul JnE bad_cpul_outQ reset_cpul JnD cpu_histJnD 

cpuO_ok cpul_ok 

pmmjail JnS pmmjail JnR pmmjail JnE cpuO Jail JnS cpuOjail_inR cpuO Jail JnE 
cpul Jail JnS cpul Jail JnR cpul Jail JnE piu Jail JnS piu Jail JnR piu Jail JnE. 

(ScntJn.SPEC Gcrb Gcrl soft_shotJnD soft_cntJnL) A 
(DLAT_SPEC sofLshotJnD ClkA S_soft_shot soft_shot_outQ) A 

(DFF_SPEC soft_shot_outQ ClkA S_soft_shot_del S_soft_shot_delA soft_shot_del_outQ) A 
(ScntJnl.SPEC soft_shot_outQ soft_shot_del_outQ soft.cntJnU) A 

( UPRCNT_S PEC 2 (GNDN 2) soft_cnt_inL soft_cnt_mU soft_cntJnR ClkA S_ soft_cnt S_soft_cntA 
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soft_cnt_outQ NC) A 

(Delay_In_SPEC fsm_scs delay_outQ fsm_src delay_inR) A 

(UPRCNT_SPEC 17 (GNDN 17) delay_inL delay_inU delay _inR ClkA S_delay S_delayA delay_outQ NC) A 
(Muxes_SPEC delay_outQ Test instartJnD fsm_delay 1 7) A 
(DLAT_SPEC instart_inD ClkA S_m start mstart_outQ) A 
(Dis_Int_Out_SPEC instart_outQ fsm_sn delay_outQ fsm_sdi Disable_int) A 
(AND2.SPEC CpuOJail Cpul_fail fsm_bothbad) A 
(Bad_Cpu_In_SPEC fsm_sn fsm_so CpuO_fail Cpul_fail fsm_sb 
bad_cpuO_inS bad_cpuO_inR bad_cpuO_inE 
bad_cpul_inS bad_cpul_inR bad_cpul _mE) A 

(DSRELAT_SPEC GND bad_cpuO_inS bad_cpuO_inR bad_cpuO_inE ClkB S_bad_cpuO bad_cpuO_outQ) A 

(DSRELAT_SPEC GND bad_cpul_inS bad_cpul_inR bad_cpul_inE ClkB S_bad_cpul bad_cpul_outQ) A 

(AND2__SPEC bad_cpuO_outQ fsm_srcO reset_cpuO_mD) A 

(AND2_SPEC bad_cpul_outQ fsm_src 1 reset_cpul_inD) A 

(DLAX_SPEC reset_cpuO_inD ClkB S_reset_cpuO Reset_cpuO) A 

(DLAT_SPEC reset_cpul_mD ClkB S_reset_cpul Reset_cpu 1 ) A 

(AND3_SPEC Reset_cpuO Reset_cpul Bypass cpu_hist_inD) A 

(DFF_SPEC cpu_hist_inD ClkB S_cpu_histA S_cpu Just Cpu_hist) A 

(Fail_In_SPEC fsm_sb fsm_spmf fsm_spf Bypass cpuO_ok cpul_ok 

pmm_failJnS pmm_fail_mR pmm_fail_inE cpuO_fail_iaS cpuO_fail JnR cpuO_fail_inE 
cpul JailJnS cpul_failJnR cpul_fail_inE piu_fail_mS piu Jail JnR piu_fail_inE) A 
(DSRELATJSPEC GND pmmJail_inS pmmJail_inR pmmJailJnE ClkB S_pmm_fail Pmmjail) A 
(DSRELAT_SPEC GND cpuO_fail_inS cpuO_fail_inR cpuO_fail_inE ClkB S_cpuO_fail CpuO_fail) A 
(DSRELATJSPEC GND cpul JailJnS cpul_fail_inR cpul Jail JnE ClkB S_cpul_fail Cpul_fail) A 
(DSRELATJSPEC GND piuJaiHnS piu_fail_inR piu Jail JnE ClkB Sjriu Jail Piu_fail) A 
(Cpu_Ok_SPEC soft_cnt_outQ fsm_scOf fsm_sc 1 f FailureO_ Failurel_ cpuO_ok cpul_ok) A 
(FSM_SPEC ClkA ClkB Rst delay _outQ fsnijdelayl7 fsm_bothbad Bypass 

S Jsm_state S_fsm _jst S_fsm_delay6 S_fsm_delayl7 SJsmJwthbad S JsmJ>ypa$$ 
S_fsm_stateA S_fsm_sn S_fsm_so SJsm_srcp S_fsm_sdi S_fsm_sip S Jsm_srcQ S_fsm_srcl 
S Jsm_spf SJsm_scOf S_fsm_sclf S_fsm_spmf S Jsm_sb SJsm_src SJsm_sec S_fsm_srs 

SjfsnijScs 

S_state fsm_sD fsm_so Reset_cport fsm_sdi Reset_piu fsm_srcO fsm_srcl fsm_spf 
fsm_scOf fsm_sclf fsm_spmf fsm_sb fsm_src fsm_sec fsm_srs fsm_scs)) M 

);; 

close JheoryO;; 
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Appendix C ML Source for the Phase-Level Specification of the PIU Ports. 

This appendix contains the HOL models used in the phase-level specification for the PIU ports. They are 
listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_ConL 

C.1 P Port Specification 

File: pjphasejnl 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the phase-level specification of the P-Port of the FTEP BIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

The bulk of this code was translated from an M- language simulation program using a translator 
written by PJ. Windley at the University of Idaho. 

% 


set_search_path (search_path() @ l‘/home/titan3/dfura/ftep/piu/hol/lib/ ]);; 


system ‘rmp.jjhase.th 1 ;; 
new_theory ‘p_pbase‘;; 


map new_parent ( ‘ paux_def ‘ au x_def ‘ ; ‘ arr ay _de P; ‘ w ordn_d ef ‘ 


let p_state_ty = “:(pfsm„ty#bool#bool#bool#wordn#wordn#bool#wordn#bool#wordn#wordn#bool#bool# 

pfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool)**;; 

let p_state = “((P_fsm_stateA > P_fsm_astate, P_fsm_d state, P_fsm_hlda_, P_wr_data, P_addr, P_destl, P_be_, 

p_wr, P_be_n_, P_sizeA, P JoadA, P_downA, P.fsmjitate, PJsm_rst, PJsm_mrqt, P_fsm_sack, 
P_fsm_cgnL, P_fsm_crqt_, P_fsm_bold_, PJsmJock^, P_rqt, P.size, PJoad, P_down, P_lock_, 
P_lock_inh_, P_male_, P_rale_) 

:(pfsm_ty#bool#bool#bool#wordn#wordn#bool#wordn#bool#wordD#wordD#bool#bool# 

pfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#wordn#booWbool#bool#bool#bool#bool))";; 

let p_env_ty = “:(bool#bool#bool#wordD#bool#bool#wordii#bool#bool#wofdn#bool#bool#bool)”;; 

let p_env = “((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_. L_be_, L_wr, L_lock_, I_ad_in. Lcgnt_, I_hold_, I.srdyJ 

:(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wonln#bool#bool#bool))”;; 
let p_out_ty = “:(wordn#bool#wordn#wordn#wordD#bool#bool#booI#bool#bool#bool#bool#bool) ;; 

let p_out = “((L_ad_out, L_ready_, I_ad_data_out, l_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, 

I_mrdy_, I_last_, I_hlda_, I_lock_) 

:(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool))’‘;; 


Next_state definitioD for Phase-A instruction. 


■% 


let PH_A_inst_def = new_definition 
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(‘PH_A_inst\ 

“I (P_fsm_state P_fsm_stateA :pfsm_ty) 

(P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_destl P_wr P_loadA P_downA :bool) 

(P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_)ock_ P_rqt P_load :bool) 
(P_down P_lock_ P_lock_inh_ P_male_ P_rale_ tbool) 

(P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :wordn) 

(ClkA ClkB Rst L_ads_ L_den_ L_wr LJock. Lcgnt_ Lbold_ I_srdy_ :bool) (L_ad_in L_be_ I_ad_in :wordn) . 


PH_A_inst (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_destl, P_be_, 

P_wr, P_be_n_, P_sizeA, PJoadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, 
P_fsm_cgnt_, P_fsm_crqt_ i P_fsm_bold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, 
P_lock_inb_, P_male_, P_rale_) 

(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, Lbold_, I_srdyJ 


let new_P_fsm_stateA = 

((P_fsm_rst) => PA ! 

((P _fsm_state = PH) => ((P_fsm_hold_) => PA I PH) I 
((P_fsm_state = PA) => 

((P_fsm_mrqt V (~P_fsm_crqt_ A ~P_fsm_cgnt_)) => PD I 
((P_fsm_lock_ A ~P_fsm_hold_) => PH I PA)) I 
((P_fsm_state = PD) => 

(((P_fsm_sack A P_fsm_bold_) V (P_fsm_sack A ~P_ fsm_hold_ A ~P_fsm_lock_)) => PA I 
((P_fsm_sack A ~P_fsm_hoid_ A P_fsm_lock_) => PH I PD)) I PJLL)))) in 
let new_P_fsm_astate = ( ne w_P_f sm_state A = PA) in 
let new_P_fsm_dstate = (new_P_fsm_stateA = PD) in 
let new_P_fsm_hlda_ = ~( new_P_fsm_state A = PH) in 
let new_P_wr_data = L_ad__in in 

let new__P_addr = ((~P _rqt) => (SUBARRAY L_ad_in (25,0)) I P.addr) in 

let new_P_destl = ((-P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in 

let new_P_be_ = ((~P_rqt) => L_be_ I P_be_) in 

let new_P_wr = ((~P_rqt) => L_wr I P_wr) in 

let new_P_be_n_ = L_be_ in 

let new_P_loadA = P__load in 

let new_P_downA « P_down in 

let new_P_sizeA = P_size in 

let new_P_fsm_state = P_fsm_slate in 

let new_P_fsm_rst = P_fsm_rst in 

let new J > _fsm_mrqt = P_fsm_mrqt in 

let new_P_fsm_sack = P_fsm_sack in 

let new_P_fsm_cgnt_ = P_fsm_cgat_ in 

let new_P_fsm_crqt_ = P_fsm_crqt_ in 

let new_P_fsm_hold_ = P_fsm_hold_ in 

let new_P_fsm_lock w = P_fsm_lock_ in 

let new_P_rqt = P_rqt in 

let new_P_size = P_size in 

let new_P_load = P_load in 

let new_P_down = P_down in 

let new_P_lock_ = PJock_ in 

let new_P_lock_inh_ = P_lock_inh_ in 

let new_P_male_ = P_male_ in 

let new_P_rale_ = P_rale_ in 
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(ne w_P_f sm_s tate A , new_P_fsm_astate, ncw_P_fsm_dstate, new_P_fsm_hlda_, new_P_wr_data, new_P_addr, new_P_destl 
oew_P_be_, new_P_wr, new_P_be_n_, new_P_sizeA, new_P_loadA, new_P_downA, new_P_fsm_state, new_P_fsm_rst, 
new_P_fsm_mrqt, new_P_fsm_sack, new_P_fsm_cgnt_, oew_P_fsm_crqt_, new_P_fsm_bold_, new_P_fsm_lock_, 
new_P_rqt, new_P_size, new_P_load, new_P_down, new_P_loek_, new_PJock_inh_, new_P_male_, new_P_raleJ 

);; 


% 

Output definition for Phase- A instruction. 


■% 


let PH_A_out_def = new_definition 
(‘PH_A_out‘, 

M 1 (P_fsm_state P_fsm_stateA :pfsm_ty) 

(P_fsm_astate P_fsm_dstate P Jsm_hlda_ P.destl P_wr PJoadA P_downA :bool) 

(P Jsm.rst P_fsm_mrqt P Jsm.sack PJsm_cgnt_ P _fsm_ciqt_ P_fsm_hold_ P_fsmJock_ P.rqt PJoad :bool) 
(P_down PJock_ PJock_inh_ P_male_ P_rale_ :bool) 

(P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :wordn) 

(ClkA ClkB Rst L_ads_ L_den_ L_wr LJock_ I_cgnt_ I_bold_ I_srdy_ :bool) (L_ad_in L_be_ I_ad_in :wordn) . 
PH_A_out (P_fsm_stateA, P_fsm„astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_destl, P_be_, 

P_wr, P_be_n_, P_sizeA, PJoadA, P_downA, P_fsm_state, PJsm_rst, P_fsm_mrqt, PJsm„sack, 
PJsm_cgnt_, P_fsm_crqt_, P_fsmJiold_, P JsmJock_, P_rqt, P_size, PJoad, P.down, PJock_, 
PJockJnh_, P_male_, P_rale_) 

(ClkA, CU^Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, LJock_, I_ad_in, Lcgnt., I_hold_. I_srdy_) = 


let new_PJsm_stateA = 

((PJsm_rst) => PA I 

((PJsm_state = PH) => ((PJsmJioldJ => PA I PH) I 
((P_fsm_state = PA) => 

((P_fsm_mrqt V (~PJsm_crqt_ A ~PJsm_cgntJ) => PD I 
((PJsmJock_ A ~P_fsm_hold_) => PH I PA)) I 
((P Jsm_state = PD) => 

(((P_fsm_sack A P_fsm_hold _) V (P_fsm_sack A -'PJsm_hold_ A -P_fsmJock_)) => PA 
((PJsm_sack A ~P_fsm_hold_ A P Jsm Jock J => PH I PD)) I PJLL)))) in 
let new_P_fsm_astate = (new_PJsm_stateA = PA) in 
let new_P_fsm_dstate = (new_P_fsm_stateA = PD) in 
let new_PJsm_hlda_ = ~(new_P_fsm_stateA = PH) in 
let new_P_wr_data = L_adjn in 

let new_P_addr = ((-P_rqt) => (SUB ARRAY L_adjn (25,0)) I P_addr) in 
let newj>_destl = ((~P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in 


let new_PJ>e_ = ((~P_rqt) => L_be_ I P J>e J in 

let new_P_wr = ((~P_rqt) => L_wr I P_wr) in 

let new_P_be_n_ = L_be_ in 

let new JMoadA = P_load in 

let new_P_downA = P_down in 

let newJJsizeA = P_size in 

let new_PJsm_state = P_fsm_state in 


I 


let new_P_fsm_rst = P_fsm_rst in 
let new_PJsm_mrqt = P_fsm_mrqt in 
let new_Pjsm_sack - P_fsm_sack in 
let new_PJsm_cgnt_ = P_fsm_cgnt_ in 
let new_PJsm_crqt_ = PJsm_crqt_ in 
let new_P_fsm_hold_ = P_fsm_hold_ in 
let new_P_fsm_lock_ = PJsmJock_ in 
let new_P_rqt = P_rqt in 
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let new.P.size = P.size in 

let new_P_load = P.load in 

let new_P_down = P_down in 

let new.P.Iock. = PJock. in 

let new.P.lockJnh. = P.lock.inh. in 

let new.P.male. = P.male. in 

let new.P.rale. = P.rale. in 

let p_ale = (-L.ads. A L.den.) in 

let p_sack = ((new_P_sizeA = ((new.P.downA) => WORDN 1 I WORDN 0)) A -I.srdy. A new.P.fsm.dstate) in 

let L.ad.out = ((-new.P.fsm.astate A new.P.fsm.hlda. A -(new.P.fsm.dstate A new.P.wr)) => I_ad_in I ARBN) in 
let L.ready. = (-(-I.srdy. A new.P.fsm.dstate)) in 
let odO = ARBN in 

let odl = (MALTER odO (31,27) new_P.be J in 
let od2 = (ALTER odl (26) F) in 

let od3 = (MALTER od2 (25*24) (SUB ARRAY new.P.addr (1 ,0))) in 
let od4 = (MALTER od3 (23*0) (SUBARRAY new.P.addr (25*2))) in 
let I_ad.addr.out = ( ( new.P.fsm.astate ) => od4 1 ARBN) in 

let I_ad_data_out = ((new_P_fsm_dstate A new_P_wr) => new_P.wr.data I ARBN) in 

let I_be_ = ( (oew_P_fsm_hlda_) => ((new.P.fsm.astate) => new_P.be. I new_P_be_n_) I ARBN) in 

let I_rale_ = ((new_P_fsm.hlda_J => 

-(-new.P.destl A ((SUBARRAY new.P.addr (25*24)) = (WORDN 3)) A new.P.fsm.astate A new.P.rqt) I ARB) in 
let I_jnale_ = ((new.P_fsm_hlda_) => 

-(-new.P.destl A (-((SUB ARRAY new.P.addr (25,24)) = (WORDN 3))) A new.P.fsm.astate A new.P.rqt) I ARB) in 

let I.crqt. = -(new.P.destl A new.P.rqt) in 

let I.cale. = ~(~I_cgnt_ A new.P.fsm.astate A I.hold.) in 

let I.mrdy. = ((new.P.fsm.hlda.) => F I ARB) in 

let IJast. = ( ( new.P.fsm.hlda.) => (new.P.sizeA = ( (new.P.do wnA) => WORDN 1 I WORDN 0)) I ARB) in 

let I.hlda. = new.P.fsm.hlda. in 

let I Jock. = ~( -new.P.Iock. A new.P_lock.inh_) in 

(L.ready., I.last., I_be_, I.mrdy.* I_ad.data.out, I.ad.addr.out, I.hlda., I.lock., I.cale.* I.male., I.rale., 

I_crqt_, L.ad.out)” 

);; 


Next-state definition for Phase-B instruction. 


■% 


let PH.B.inst.def = new.definition 
( 4 PH_B_inst\ 

44 1 (P.fsm.state P.fsm.stateA :pfsm_ty) 

(P.fsm.astate P.fsm.dstate P.fsm.hlda. P.destl P.wr P.loadA P.downA :bool) 

(P.fsm.rst P.fsm.mrqt P.fsm.sack P.fsm.cgnt. P.fsm.crqt. P.fsm.hold. P.fsm.lock. P.rqt P.load :bool) 
(P.down P.lock. P.lock.inh. P.male. P.rale. :bool) 

(P.wr.data P.addr P.be. P.be.n. P.sizeA P.size :wordn) 

(ClkA ClkB Rst L.ads. L.den. L.wr L.lock. I.cgnt. I.hold. I.srdy. :bool) (L.ad.in L.be. I.ad.in :wordn) . 
PH.B.inst (P.fsm.stateA, P.fsm.astate, P.fsm.dstate, P.fsm.hlda., P.wr.data, P.addr, P.destl, P.be., 

P.wr, P.be.n., P.sizeA, P.loadA, P.downA, P.fsm.state, P.fsm.rst, P.fsm.mrqt, P.fsm.sack, 
P.fsm.cgnt., P.fsm.crqt., P.fsm.hold^ P.fsm.lock., P _jqt, P.size, P.load, P.down, P.lock., 
PJockJnh., P.male., P.rale.) 

(ClkA, ClkB, Rst, L.ad.in, L.ads., L.den., L_be_, L.wr, L.lock., I.ad.in, I.cgnt., I.hold., I.srdy.) = 
let p.ale = (-L.ads. A L.den.) in 
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let p_sack = ((P_sizeA = ((P_downA) => WORDN 1 1 WORDN 0)) A ~I_srdy_ A P_fsm_dstate) in 
let new_P_rqt = ((p_ale A ~(p_sack V Rst)) => T I 
((~p_ale A (p_sack V Rst)) => F I 
((~p_ale A ~(p_sack V Rst)) => P_rqt l ARB))) in 
let new_P_load = ~new_P_rqt in 
let new_P_down = (~I_srdy_ A P_fsm_dstate) in 
let new_P_size = ((P_loadA) => (SUB ARRAY L_ad_in (1,0)) I 

((P.downA) => DECN 1 P.sizeA I P.sizeA)) in 
let new_P_male_ = ((P_fsm_astate) => 

-(-P.destl A (-((SUBARRAY P_addr (25,24)) = (WORDN 3))) A new_P_rqt) I P_male_) in 
let new_P_rale_ = ((P_fsm_astate) => 

-(-P_destl A ((SUB ARRAY P_addr (25,24)) = (WORDN 3)) A new_P_rqt) I P_raleJ in 

let new_P_lock_ = ((Rst) => T I 

((P_fsm_d state) => L_lock_ I PJock_)) in 
let new_P_lock_i nh_ = ((Rst) => T ! 

((~new_P_male_ V -newJPjaleJ => L_lock_ I PJockJnh J) in 

let new_P_fsm_state = P_fsm_stateA in 
let new_P_fsm_rst = Rst in 

let new_P_fsm_mrqt = (~P_destl A new _P_rqt) in 

let new_P_fsm_sack = p_sack in 

let new_P_fsm_cgnt_ = I_cgnt_ in 

let new_P_fsm_crqt_ = ~(P_destl A new_P_rqt) in 

let new_P_fsm_hold_ = I_hold_ in 

let new_P_fsm_lock_ = new_P_lock_ in 

let new_P_fsm_stateA = P_fsm_stateA in 

let new_P_fsm_astate = P_fsm_astate in 

let new_P_fsm_dstate = P__fsm_dstate in 

let new_P_fsm_hlda_ = P_fsm_hlda_ in 

let new_P_wr_data = P_wr_data in 

let new_P_addr = P_addr in 

let new _P_destl = P_destl in 

let new_P_be_ = P_be_ in 

let new_P_wr = P_wr in 

let new_P_be_n_ = P_b e _ D _ m 

let new_P_sizeA = P_sizeA in 

let new_P_loadA = P_loadA in 

let new_P_downA = P_downA in 

(new_P_fsm_stateA, ne w_P_fsm_astate , new_P_fsm_dstate, new_P_fsm_hlda_, new_P_wr_data, new_P_addr, new_P_destl, 
new_P be new_P_wr, new_P_be_n_, new_P_sizeA, new_JMoadA, new_P_downA, new_P_fsm_state, new_P_fsm_rst, 
new_PJsm_mrqt, new _P_fsm_sack, new_P_fsm_cgnt_, new J > _fsm_crqt_, new_P_fsmJiold_, new_P_fsm_lock_, 
new_P_rqt, new_P_size, new_P_load, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male_, new_P_rale_) 

);; 


Output definition for Phase-B instruction. 

% 


let PH_B_out_def = new_definition 
(*PH_B-OUt‘, 

u ! (P_fsm_state P_fsm_stateA :pfsm_ty) 

(P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_destl P_wr PJoadA P_downA :bool) 

(P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load :bool) 
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(P_down P_lock_ P_lock_inh_ P_male_ P_rale_ :bool) 

(P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :wordn) 

(ClkA ClkB Rst L_ads_ L_den_ L_wr LJock_ I_cgnt_ I_hold_ Lsrdy_ :bool) (L_ad_in L_be_ I_ad_in :wordn) . 
PH_B_out (P_fsm_stateA, P_fsm_astate, PJsm.dstate, P_fism_hlda_, P_wr_data, P^addr, P_destl, P_be_, 

P_wr, P_be_n_, P_sizeA, PJoadA, P_downA, P_fsm_stote, P_fsm_jst, P_fsm jnrqt, P_fsm_sack, 
P_fsm_cgnt_, P_fsm_crqt_, P_fsm_bold_, P_fsm _lock_, P_rqt, P_size, PJoad, P_down, P_lock_, 
P_lock_inh_, P_male_, P_raJe_) 

(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_deo_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, IJiokL, IjsrdyJ = 


let p_ale = (~L_ads_ A L_den_) in 

let p_sack = ((P_sizeA = ((P.downA) => WORDN 1 I WORDN 0)) A ~I_srdy_ A P_fsm_dstate) in 
let new_P_rqt = ((p_ale A ~(p_sack V Rst)) => T I 
((~p_ale A (p_sack V Rst)) => F I 
((~p_ale A ~(p_sack V Rst)) => P_rqt I ARB))) in 
let newJMoad = ~new_P_rqt in 
let new_P_down = (~I_srdy_ A P_fsxn_dstate) in 
let new_P_size = ((P_loadA) => (SUB ARRAY L_ad_in (1,0)) ! 

((P_downA) => DECN 1 P_sizeA I P_sizeA)) in 
let new_P_male_ = ((P_fsm_astate) => 

-(-P_destl A (-((SUBARRAY P.addr (25,24)) » (WORDN 3))) A new _P__rqt) I P_maleJ in 
let new_P_rale_ = ((P_fsm_astate) => 

~(~P_destl A ((SUBARRAY P_addr (25,24)) = (WORDN 3)) A new_P_rqt) I P_raleJ in 
let new_PJock w = ((Rst) => T I 

((P_fsm_dstate) => L_lock_ I P_loclO) in 
let oew_PJock_inb_ = ((Rst) => T I 

((~new_P_male_ V ~new_P_rale_) => L_lock_ I P_lock_inh_)) in 
let new_P_fsxn_state = P_fsm_stateA in 
let new_P_fsm_rst = Rst in 
let new_P_fsm_mrqt = (~P_destl A new_P_rqt) in 
let new_P_fsm_sack = p_sack in 
let new_P_fsm_cgnt_ = I_cgnt_ in 
let new_P_fsm_crqt_ = ~(P_destl A new_P_rqt) in 
let new_P_fsm_hold_ = I_hold_ in 
let new_P_fsm_lock_ = new_P_lock_ in 
let new_P_fsm_stateA = P_fsm_stateA in 
let new_P_fsm_astate = P_fsm_astate in 
let new_P_fsm_dstate = P_fsm_dstate in 
let new_P_fsm_hlda_ = P_fsm_hlda_ in 
let new_P_wr_data = P_wr_data in 
let new_P_addr = P_addr in 
let new_P_destl = P_destl in 
let new_P_be_ = P_be_ in 
let new„P_wr = P_wr in 
let new_P_be_n_ = P_be_n_ in 
let new_P_sizeA = P_sizeA in 
let new_P_loadA = P_loadA in 
let new_P_downA = P_downA in 

let L_ad_out = (( -new_P_fsm_astate A new_P_fsm_hlda_ A ~(new_P_fsm_dstate A newj?_wr)) => I_ad_in I ARBN) in 
let L_ready_ = (-{-I_srdy_ A new_P_fsm_dstate)) in 
let odO = ARBN in 

let odl = M ALTER odO (3 1 ,27) new_P_be_ in 
let od2 = ALTER odl (26) F in 
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let od3 = MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0)) in 
let od4 = MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2)) in 
let I_ad_addr_out = ((new_P_fsm_astate) => od4 1 ARBN) in 

let I_ad_data_out = ((new_P_fsm_dstate A new_P_wr) => new_P_wr_data I ARBN) in 

let I_be_ = ((new_P_fsm_hldaJ => ((new_P_fsm_astate) => new_P_be_ I new_P_be_nJ I ARBN) in 

let l_rale_ = ((new_P_fsm_hlda J => . 

-(-new_P_destl A ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) A new_P_fsm_astate A new_P_rqt) I ARB) in 

let I _jnale_ = ((new_P_fsm_hlda_) => . 

-(~new_P_destl A (-((SUB ARRAY new_P_addr (25,24)) = (WORDN 3))) A new_P_fsm_asUte A new_P_rqt) 1 ARB) in 

let I_crqt_ = ~(new_P_destl A new_P_rqt) in 

let I_cale_ = ~(~I_cgnt_ A new_P_fsm_astate A I_boldJ in 

let I mrdy_ = ( (new_P_fsm_hlda_) => F I ARB) in 

let I last_ = ((new_P_fsm_hlda_) => (new _P_sizeA = ((new_P_downA) => WORDN 1 I WORDN 0)) I ARB) in 

let I_hlda_ = Dew_P_fsm_hlda_ in 

let IJock_ = ~(~new_P_lock_ A new_P_lock_mh_) in 

(L_ready_, I_last_, I_be_, I_mrdy_ > I_ad_data_out, I_ad_addr_out 1 1_hlda_, IJock_, I_cale_, I_male_, Lrale^ 

I_crqt_, L_ad_out)” 

);; 

close_theory();; 
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C.2 M Port Specification 


File: 

m_phase.ini 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the phase-level specification of the M-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M-language simulation program using a translator 
written by PJ. Windley at the University of Idaho. 


■% 


set_search_path (search_path() @ [ l /home/titan3/dfura/ftep/piu/hol/lib/‘]);; 
system 4 nnm_phase.th 4 ;; 
new_tbeory ‘m^phase 4 ;; 
loadf 'abstract 1 ;; 

map new_parent ( 4 mau x_def ; 4 aux_def ; 4 array _def ; 4 wordn_def 4 ] ; ; 

let m_state_ty = 44 :(mfsm_ty#bool#bool#bool#bool#bool#wordn#wordn#wordn#bool#wordn# 
mfsm_ty#bool#bool#bool#bool#booi#bool#bool#bool# 
bool#bool#wordn#wordD#wordn#bool#bool#bool#wordD#wordn ; 
let m_state = “((M_fsm_stateA, M_fsm_ad dress, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, 
M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm _jnale_, M_fsm_rd, 
M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, 
M_addr, M_be p M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) 

: A m_state_ty)”;; 

let m_env_ty = ‘ 4 :(bool#bool#bool#bool#bool#wordn#bool#bool#wordn#bool#wordn#bool#bool)”;; 
let m_env = “((ClkA, ClkB, Rst, Disable_eeprom, Disable_ writes, I_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_data_in, Edac_en_, Reset_parity) 

: A m_env_ty)”;; 

let m_out_ty = 44 :(wordn#bool#wordn#wordn#bool#bool#bool#bool#bool) M ;; 

let m_out = “((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, 

MB ^parity) 

: A m.out_ty)”;; 

let rep_ty = abstract_type 4 aux_def 4 Andn 4 ;; 

Next-state definition for Phase- A instruction. 

% 

let PH_A_inst_def = new_definition 
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( 4 PH_A_inst\ 

44 1 (M_fsm_stateA M_fsm_state :mfsm_ty) 

(M ad dr A M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect .wordn) 
(M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA 
M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm _last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst 
M_se M_wr M_rdy M_wwdel M_parity :bool) 

(I_ad_in I_be_ MB_data_in : wordn) 

(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I Jast_ I_mrdy_ Edac_en_ Reset_panty :bool) . 

PH_A_inst (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_wrile. M_fsm_mem_enable, 
M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state. M_fsm_rd, 

M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, 
M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) 

(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, IJast_, I_be_, 

I_mrdy_, MB_data_in, Edac_en_, Reset_parity) = 

let new_M_fsm_stateA = 

((M_fsm_rst) => MI I 

((M_fsm_state = MI) => ((~M_fsm_maleJ => MA I MI) I 
((M_fsm_state = MA) => 

((~M_fsm_mrdy_ A M_fsm_ww) => MW I 
((~M_fsm_mrdy_ A (M_fsm_rd V M_fsm_bw)) => MR I MA)) I 
((M_fsm_state = MR) => 

((M_fsm_bw A M_fsm_zero_cnt) => MB W I 
((M_fsmjast_ A M_fsm_rd A M_fsm_zero_cnt) => M A I 
((~M_fsm_last_ A M_fsm_rd A M_fsm_zero_cnt) => MRR I MR))) I 
((M_fsm_state = MRR) => MI I 
((M_fsm_state = MW) => 

((~M_fsm_last_ A M„fsm_zero_cnt) => MI I 
((M_fsm_last_ A M_fsm_zeTO_cnt) => M A I MW)) l 
((M_fsm_state = MBW) => MW I M_ILL) )))))) in 
let new_M _f sm_address = (new_M_fsm_stateA = M A) in 
let new_M_fsm_read = (new_M_fsm_stateA = MR) in 
let new_M_fsm_write = ( new_M_f sm_s tale A = MW) in 
let new_M_fsm_byte_write = (new_M_fsm_stateA = MBW) in 
let new_M_fsm_mem__enable = (~(new_M_fsm_stateA = MI)) in 
let new_M_addrA = M_addr in 
let new _M_beA = M_be in 
let new _M_countA = M_count in 
let new_M_rdyA = M_rdy in 
let new_M_rd_dataA = M_rd_data in 
let new_M_fsm_state = M_fsm_state in 
let new_M_fsm_male_ - M_fsm_male_ in 
let new_M_fsm_rd = M_fsm_rd in 
let new_M_fsm_bw = M_fsm_bw in 
let new_M_fsm_ww = M_fsm_ww in 
let new_M_fsm_last_ = M_fsm_last_ in 
let new_M_fsm _mrdy_ = M_fsm_mrdy_ in 
let new31_fsm_zero_cnt = M _f sm_zero _cn t in 
let new_M_fsm_rst = M_fsm_rst in 
let new_M_se = M_se in 
let new_M_wr = M_wr in 
let new_M_addr = M_addr in 
let new_M_be = M_be in 


129 


let new_M_count = M_count in 
let new_M_rdy = M _jdy in 
let new_M_wwdel = M_wwdel in 
let new^_panty = M_parity in 
let new _M _rd_data = M_rd_data in 
let new_M_detect = M_detect in 

(new_M_fsm_stateA, new _M_f&m_address, ne w_M_fsm_read , new _M_fsm_write, new_M_fsm_byte_write, 
new w M_fsm jnem_enable, new_M_addrA, new_M_beA, new_M_countA, new_M_rdyA, new_M_rd_data A , 
new_M_fsm_state, new_M_fsm _male_, new_M_fsm_rd, new_M_fsm_bw, new_M_fsm_ww, new_M_fsm_last_, 
new_M_fsm_mrdy_, new _M_fsm_zero_cnt, new_M_fsm_rst, new_M_se, newJM_wr, new_M_addr, new_M_be, 
new_M_count, new_M_rdy, new_M_wwdeI, new_M_panty, new _M _rd_data, new_M_detect) M 
);; 


% 

Output definition for Phase-A instruction. 


let PH_A_out_def = new_defimtion 
(‘PH_A_out\ 

14 1 (M_fsm_stateA M_fsm_state :mfsm_ty) 

(M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn) 

(M_fsm_ad dress M_fsm_read M_fsm_wnte M_fsm_byte_ write M_fsm_mem_enable M_rdyA 
M_fsm_male_ M_fsm_rd M__fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst 
M_se M_wr M_rdy M_wwdel M^parity :bool) 

(I_ad_in I_be_ MB_data_in :wordn) 

(ClkA ClkB Rst Disable_eeprom Disable_writes I _male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) 
(rep: A rep_ty) . 

PH_A_out (M_fsm_stateA, M_fsm_ad dress, M_fsm_read, M_fsm_write, M_fsm_byte-write, M_fsm_mem_enable, 
M_addrA, M.beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm _jd, 
M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, 
M_addr, M_be, M_count, M_rdy, M_wwdel, M .parity, M_rd_data, M.detect) 

(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes t I_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_data_in, Edac_en_, Reset_parity) 
rep = 


let new _M_fsm_stateA = 

((M_fsm_rst) => MI I 

((M_fsm_state = MI) => ((~M_fsm _male_) => MA I MI) I 
((M_fsm_state = MA) => 

((~M_fsm_mrdy_ A M_fsm_ww) => MW I 
((~M_fsm_mrdy_ A (M_fsm_rd V M_fsm_bw)) => MR I MA)) I 
((M_fsm_state = MR) => 

((M_fsm_bw A M_fsm_zero_cnt) => MBW I 
((M_fsm_last_ A M_fsm_rd A M_fsm_zero_cnt) => M A I 
((~M_fsm_last_ A M_fsm_rd A M_fsm_zero_cnt) => MRR I MR))) I 
((M_fsm_state = MRR) => MI I 
((M_fsm_state = MW) => 

((~M_fsm_last_ A M_fsm_zero_cnt) => MI I 
((M_fsm_last_ A M_fsm_zero„cnt) => M A i MW)) I 
((M_fsm_state = MBW) => MW I MJLL))))))) in 
let new_M_fsm_address = (new _M_fsm_stateA = MA) in 
let new_M_fsm_read = (new_M_fsm_stateA - MR) in 
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let new_M_fsm_wnte = (new_M_fsm_stateA = MW) in 

let new_M_fsm_byte_ write = (new30 s ni_stateA = MBW) in 

let new _M_fsm_mem_enable = (-(new_M_fsm_stateA = MI)) in 

let new_M_addrA = M_addr in 

let new_M_beA = M_be in 

let new _M_countA = M.count in 

let new_M_rdyA = M_rdy in 

let new_M_rd_dataA = M_rd_data in 

let new_M_fsm_state = M_fsm_state in 

let new_M_fsm_male_ = M_fsm_male_ in 

let new_M_fsm_rd = M_fsm_rd in 

let new_M_fsm_bw = M_fsm_bw in 

let new_M_fsm_ww = M_fsm_ww in 

let new_M_fsm_Last_ = M_fsm_last_ in 

let new_M_fsm_mrdy_ = M_fsm_mrdy_ in 

let new _M_fsm_zero_.cn t = M_fsm_zero_cnt in 

let new_M_fsm_rst = M_fsm_rst in 

let new_M_se = M_se in 

let new_M_wr = M_wr in 

let new_M_addr = M_addr in 

let new_M_be = M_be in 

let new_M_count = M_count in 

let new_M_rdy = M_rdy in 

let new_M_wwdel - M_wwdel in 

let new_M__panty = M^parity in 

let new_M_rd_data = M_rd_data in 

let new_M_detect = M_detect in 

let m_rdy = ((new_M_fsm_write A (new_M_countA = (WORDN 1))) 

V (new_M_fsm_read A (new_M_countA = (WORDN 1)) A ~new_M_wr)) in 
let m_srdy_ = ~((new_M_rdyA A ~new_M_wr) V (m_rdy A new_M_wr)) in 

let mb_data_7_0 = ((ELEM ENT new_M_be A (0)) => (SUB ARRAY I_ad_in (7.0)) I (SUBARRAY new_M_rd_dataA (7,0))) in 
let mb_data~15_8 = ((ELEMENT new_M_beA (1)) => (SUBARRAY I_ad_in (15,8)) I (SUBARRAY new_M_rd_dataA 
(15,8))) in 

let mb_data_23_16 = ((ELEMENT new_M_beA (2)) => (SUBARRAY I_ad_in (23.16)) I (SUBARRAY new_M_rd_dataA 
(23,16))) in 

let mb_data_31_24 = ((ELEMENT new_M_beA (3)) => (SUBARRAY I_ad_in (31,24)) I (SUB ARRAY new_M_id_dataA 
(31,24))) in 

let mb_data = ((M ALTER (M ALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0) 

(15,8) mb_data_15_8) 

(23,16) mb_data_23_16) 

(3 1,24) mb_data_3 1_24)) in 

let l_ad_out = ((-new_M_wr A new_M_fsm_mem_enable) => new_M_rd_dataA I ARBN) in 

let I_srdy_ = ((new_M_fsm_mem_enable) => m_srdy_ I ARB) in 

let MB_addr = ((new_M_rdyA) => (INCN 18 new_M_addrA) I new_M_addrA) in 

let MB_data_out = ((new_M_fsm_write) => (Ham_Enc rep mb_data) I ARBN) in 

let MB_cs_eeprom_ = -(new_M_fsm_mem_enable A ~new_M_se) in 

let MB. _cs_sram_ = ~(new_M_fsm_mem_enable A new_M_se) in 

let MB_we_ = ~((new_M_se V ~new_M_fsm_mem_enable V -Disable^eeprom) 

A ~Disable_writes 

A (new_M_fsm_byte_wnte V new_M_fsm_write V new_M_wwdel)) in 
let MB_oe_ = ~((~new_M_wr A new _M_fsm_address ) V new_M_fsm_read) in 
let MB_panty = new_M_parity in 

(I_ad_out, I_srdy_, MB_addr, MB_data_out t MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB^parity)” 
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% 

Next-state definition for Pbase-B instruction. 


let PH_B_inst_def * new_definition 
( 4 PH_B_inst\ 

“t (M_fsm_stateA M_fsm_state :mfsm_ty) 

(M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect : wordn) 
(M_fsm_address M_fsm_read M_fsm_write M_fsm_b yte_ write M_fsm_mem_enable M_rdyA 

M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst 
M_se M_wr M_rdy M_wwdel M_panty :bool) 

(I_ad_in I_be_ MB_data_xn :wordn) 

(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) 
(rep: A rep_ty) . 

PH_B_inst (M_fsm_stateA, M_fsm_ad dress, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, 
M_addrA, M_beA, M_countA, M_idyA, M j-d_dataA, M_fsm_state, M_fsm_jnale_, M_fsm_rd, 

M_fsm_bw, M_fsxn_ww, M_fsm_last_, M_fsm_nirdy_, M_fsm_zero_cnt, M_fsm__rst, M_se, M_wr, 

M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) 

(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_dala_in, Edac_en_, Reset_parity) 
rep = 


let new_M_se = ((~I_male_J => (ELEMENT I_ad_in (23)) I M_se) in 
let new_M_wr = ((~I_male_) => (ELEMENT I_ad_in (27)) t M_wr) in 
let new _M_addr = 

((-I.maleJ => (SUB ARRAY I_adjn (18,0)) I 
((M_rdyA) => (INCN 18 M_addrA) I M.addrA)) in 
let new_M_count = 

( (M _f sm_address V M_fsm_byte_ write) => ((new_M_se) => (WORDN 1) I (WORDN 2)) I 
((M_fsm_wnte V M_fsm_read) => (DECN 1 M_countA) I M_countA)) in 
let m_rdy = ((M_fsm_write A (new_M_count = (WORDN 0))) 

V (M_fsm_read A (new_M_count = (WORDN 0)) A -newJAjwr)) in 
let m_srdy_ = ~((M_rdyA A ~new_M_wr) V (m_rdy A new_M_wr)) in 
let new _M_b« = ((~I_male_ V ~m_srdy_) => (NOTN 3 I_be_) I M_be) in 
let new _M_rdy = m_rdy in 

let new _M_wwdel = (M_fsm_address A new_M_wr A (new_M_be = (WORDN 15))) in 
let new_M_rd_data = ((M_fsm_read) => (Ham_Dec rep MB_data_in) I M_rd_data) in 
let new _M_detect = 

(((M_fsm_read A ~new_M_wr) V new_M_wr V ~M_fsm_mem_eDable) => 

((-Edac.enJ => (Ham_Detl rep MB_data_m) I (WORDN 0)) i MJetect) in 
let m_error = (~m_srdy_ A M_fsm_mem_enable A (Ham_Det2 rep (new_M_detect, -Edac_en_))) in 
let new_M ^parity = 

((m_error A -(Rst V Reset ^parity)) => T I 
((~m_exror A (Rst V Reset ^parity)) => F I 
((~m_error A -(Rst V Resetjjarity)) => M_parity I ARB))) in 
let new_M_fsm_state = M_fsm_stateA in 
let new _M_fsm_male_ = I_male_ in 

let new_M_fsm_rd = (~new_M_wr A M_fsm_mem_enable) in 

let new_M_fsm_bw = ((~(new_M_be = (WORDN 15))) A new_M_wr A M_fsm_mem_enable) in 
let new_M _f sm_ww = ((new_M_be = (WORDN 15)) A new_M_wr A M_f sm_mem_e □ ab le ) in 
let new Jvl_fsm_last_ = I_last_ in 
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let new__M_fsm_mrdy_ = I_mrdy_ in 

let new_ J M_fsm_zero_cnt = (new_M_count = (WORDN 0)) in 

let new _M_fsm_rst = Rst in 

let new_M_fsm_stateA = M_fsm_stateA in 

let new Jd_fsm_address = M_fsm_address in 

let new _M_fsm_read = M_fsm_read in 

let new_M_fsm_write = M_fsm_wnte in 

let new_M_fsm_byte_wnte = M_fsm_byte_write in 

let new_M_fsm _metn_enable = M_fsm_mem_en ab le in 

let new_M_addrA = M_addrA in 

let new_M_beA = M_beA in 

let new_M_countA = M_countA in 

let new_M_rdyA = M_rdyA in 

let new _M_rd_dataA = M_rd_dataA in 

(new_M_fsm_stateA, new_M_fsm_address , new_M_fsm_read, new_M_fsm_wnte, new_M_fsm_byte_ write, 

new_M_fsm_mem_enable 1 new _M_addrA, new_M_beA, new_M_countA, new30<tyA, new__M_rd_dataA, 
new_M_fsm_state, new_M_fsm_male_, new_M_fsm_rd, new_M_fsm_bw, new_M_fsm_ww, new_M_fsmJast_, 
new_MJsm„mrdy_, new_M_fsm_zero_cnt, new_M_fsm_rst, new_M_se, new_M_wr, new_M_addr, new_M_be, 
new_M_count, new_M_rdy ( new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect) 


% 

Output definition for Phase-B instmction. 

% 


let PH_B_out_def = new_definition 
( 4 PH_B_out\ 

44 ! (M_fsm_stateA M_fsm_state :mfsmjy) 

(M addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect : wordn) 

(M fsm_address M_fsm_read M_fsm„write M_fsm_b yte_write M_fsm_mem_enable M_rdyA 

M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M Jsm Jast_ M_fsm_mrdy_ M_fsm_zero_cnt MJsm_rst 
M_se M_wr M_rdy M_wwdel M_parity :bool) 

(I_ad_in I_be_ MB_data_in : wordn) 

(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) 

(rep^ep.ty) . . w ^ 

PH_B_out (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsin_write, M_fsm_byte_wnte, M_fsm_mem_enable, 
M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, 
M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, 
M_addr, M_be, M_count, M_rdy, M_wwdel, M^parity, M_rd_data, M_detect) 

(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_data_in, Edac_en_, Reset_parity) 
rep = 


let new_M. _se = ((~I_male_) => (ELEMENT I_ad_in (23)) I M_se) in 
let new_M_wr = ((-I_maleJ => (ELEMENT I_ad_in (27)) I M_wr) in 
let new_M_addr = 

((-I_male_) => (SUBARRAY I_ad_in (18,0)) I 
((M_rdyA) => (INCN 18 M_addrA) I M_addrA)) in 
let new _M_count = 

((M_fsm_address V M_fsm_byte_write) => ((new_M_se) => (WORDN 1) I (WORDN 2)) I 
((M_fsm_write V M_fsm_read) => (DECN 1 M_countA) I M_countA)) in 
let m_rdy = ((M_fsm_write A (new_M_count = (WORDN 0))) 
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V (M_fsm_read A (new_M_count - (WORDN 0)) A ~new_M_wr)) in 
let m_srdy_ = ~{(M_rdyA A ~new_M_wr) V (m_rdy A new_M_wr)) in 

let new _M_be = ((~I_male_ V ~m_srdy_) => (NOTN 3 I_be_) I M_be) in 
let new _>l_rdy = m_rdy in 

let new _M_wwdel = (M_fsm_address A new_M_wr A (new_M_be = (WORDN 15))) in 
let new_M_rd_data = ((M_fsm _read) => (Ham_Dec rep MB_data_in) I M_rd_data) in 
let new _M_detect = 

(((M_fsm_read A '-new_M_wr) V new_M_wr V ~M_fsm_mem_enable) => 

((~Edac_eo_) => (Ham_Detl rep MB_data_in) I (WORDN 0)) I M_detect) in 
let m_error = (~m_srdy_ A M_fsm _mem_enable A (Ham_Det2 rep (new_M_detect, ~Edac_en_J)) in 
let new _M ^parity = 

((m_eiror A -(Rst V Reset _j>anty)) => T I 
((~m_error A (Rst V Reset_j»arity)) => F I 
((~m_error A -(Rst V Reset ^parity)) => M_parity I ARB))) in 
let new_M_fsm_state - M_fsm_stateA in 
let new _M Jsm_male_ = I_male_ in 

let new_M_fsm_rd * (-new_M_wr A M_fsm_mem_en able) in 

let new_M_fsm_bw = ((-(new_M_be = (WORDN 15))) A new_M_wx A M_fsm_mem_enable) in 
let new_M_fsm_ww = ((new_M__be = (WORDN 15)) A new_M_wr A M_fsm_mem_enable) in 
let new_M_fsm_last_ = I_last_ in 
let new_M_fsm_mrdy_ = I_mrdy_ in 

let new3^_fsm_zero_cnt = (new_M_count = (WORDN 0)) in 

let new _M_fsm_rst = Rst in 

let new_M_fsm_stateA = M_fsm_stateA in 

let new_M_fsm_address = M_fsm_address in 

let new_M_fsm_read = M_fsm_read in 

let new_M_fsm_write = M_fsm_write in 

let new_M_fsm_byte_wnte = M_fsm_byte_write in 

let new_M_fsm_mem_enable = M_fsm_mem_enable in 

let new_M_addrA = M_addrA in 

let new_M_beA = M_beA in 

let new _M_countA = M_countA in 

let new jdyA = M_rdyA in 

let new_M_rd_dataA = M_rd_dataA in 

let m_rdy = (( new_M_f sm_write A (new_M_countA = (WORDN 1))) 

V (new_M_fsm_read A (new_M_countA = (WORDN 1 )) A ~new_M_wr)) in 
let m_srdy_ = ~{(new_M_rdyA A ~new_M_wr) V (m„rdy A new_M_wr)) in 

letmb_data_7_0 = ((ELEMENT new_M_beA (0)) => (SUB ARRAY I_ad_in (7,0)) I (SUBARRAY new_M_rd_dataA (7,0))) in 
let mb_data_15_8 = 

((ELEMENT new_M_beA (1)) => (SUB ARRAY I_ad_in (15,8)) I (SUBARRAY new JOd_dataA (15,8))) in 
let mb_data_23_16 = 

((ELEMENT new_M_beA (2)) => (SUBARRAY l_ad_in (23,16)) I (SUBARRAY new_M_rd_dataA (23,16))) in 
let mb_data_3 1_24 = 

((ELEMENT new_M_beA (3)) => (SUBARRAY I_ad_in (31,24)) I (SUBARRAY newJd_rd_dataA (31,24))) in 
let mb_data = ((MALTER (M ALTER (MALTER (MALTER ARBN (7,0) mb_dataJ7 _0) 

(15,8) mb_data_15_8) 

(23,16) mb_data_23_l 6) 

(31,24) mb_data_3 1 _24 ) ) in 

let l_ad_out = ((~new_M_wr A new_M_fsm_mem_enable) => new_M_rd_dataA I ARBN) in 

let I_srdy_ = ((new_M_fsm_mem_enable) => m_srdy_ I ARB) in 

let MB_addr = ((new_M_rdyA) => (INCN 18 new_M_addrA) I ncw_M_addrA) in 

let MB_data_out = ((new_M_fsm_write) => (Ham_Enc rep mb_data) 1 ARBN) in 

let MB_cs_eeprom_ = ~(new_M_fsm _mem_enable A -new_M_se) in 
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let MB_cs_s ram_ = ~(new_M_fsm_mem_enable A new_M_se) in 

let MB_we_ = -((new_M_se V ~new_M_fsm_mem_enable V -Disable_eeprom) 

A ~Disable_writes 

A (new_M_fsm_byte_write V new_M_fsm_write V new_M_wwdel)) in 
let MB_oe_ = -((-new_M_wr A new_M_fsm_address) V new_M_fsm_read) in 
let MB_parity = oew_M_panty in 

(I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_. MB_we_. MB_oe. 


MB_parity)” 
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C.3 R Port Specification 


% — 


File: 

r_phaseml 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the phase-level specification of the R-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M-language simulation program using a translator 
written by P.J. Windley at the University of Idaho. 


% 


set_search_path (search_path() @ [ 4 /home/titan3/dfura/ftep/piu/hol/hb/‘]);; 
system ‘rmr^phase.th*;; 
new_theory ‘r_phase 1 ;; 
loadf ‘ abstract 4 ;; 


map new ^parent [ ‘ raux_def ‘ ; ‘ aux_def‘ ; * array_def‘ ; ‘ wordn_def‘ ] ; ; 


let r_state_ty = “:(rfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#wordn# 
bool#bool#woidn#wordn#bool#bool#wordn#wordn#bool#bool#wordn#wordn#bool#bool# 
wordn#bool#wordn#wordn#wordD# 

rfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#wordn# 
bool#boot#bool#wordD#wordn#bool#wordD#t)ool#bool#bool#wordD#wordn#bool#wordn# 
bool#bool#bool#wordD#wordn#bool#wordn#bool#bool#bool#wordD#wordn#bool#bool# 
wonto#wordn#worxin#bool#wordn#bool#wordn#bool#wordn#booiy ; 
let restate = “((R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_int3_disA, 
R_c01_cout, R_c01_cout_deLA, R_c23_cout, R_c23_cout_deLA, R_cndatch_delA, R_srdy_delA_, 
R_reg_selA, R_ctrO, R_ctrO_ce, R_ctrO_cin, R_ctrO_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin, 
R_ctrl_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, 
R_ctr3_outA, RJcrJoadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, 
R_fsm_ J mrdy_, R_fsm_last_, R_fsm_rst, RJntO_dis, R_int3_dis, R_c01_cout_del, R_intl_en, 
R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctfO_in, 
R_ctrO_mux_sel, R_ctrO_irden, R_ctrO_cry, R_ctiO_new p R_ctrO_out, R_ctrO_orden, R_ctrl_in, 
R_ctrl_mux_sel, R_ctrl Jrden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_in, 
R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, 
R_ctr3_mux_sei, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load ( 
R_icr_old, R_icr_mask, R Jcr, R_icr_rden, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, 

R_sr_rden) 

: /v r_state_ - ty )” ; ; 

let r_env_ty = “ : ( boo l#bool#bool#woidn#bool#bool#wordn#bool#bool#boo l#wordn#wordn#bool#boo 1# 
wordn#wordn#wordn#bool#boo Wtwordn )’* ; ; 

let r_env = “((ClkA, ClkB, Rst, I_ad_in, I_rale_, IJast_, I_be_, I_mrdy_, Disable_mt, Disable_writes, 

Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannellD, CB^parity, MB_parity, C_ss) 


136 


:*r_env_ty)”;; 

let r_out_ty = ‘ 4 :(wo^dn#bool#boo^#bool#bool#bool#wo^dn#wordD#bool#booly^; 

let r_out = M ((I_ad_out, I_srdy_, IntO_, Inti, Int2, Int3_, Ccr, Led, Reset_error, Pmmjnvalid) 

let rep_ty * abstract_type ‘aux_def‘ ‘Andn*;; 


% — 

Next-state definition for Phase-A instruction. 


let PH_A_inst_def = new_definition 
(‘PH_A_inst\ 

“I (repr^ep^ty) 

(R_fsm_stateA R_fsm_state :rfsm_ty) 

(R_reg_selA R_ctrO R_ctiO_outA R.ctrl R_ctrl_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA 
R_icrA R_busA_latch R_reg_sel R_ctrO_in R_ctrO_new R_ctrO_out R_ctrl_in R_ctrl_new R_ctrl_out 
R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_ici_old R_icr_mask R_icr 
R_ccr R_gcr R_sr :wordn) 

(R_fsm_cntlatch R_fsm_srdy_ R_intO_en R_intO_disA R _int3_en R_int3_disA R_c01_cout R_c01_cout_delA 
R_c23_cout R_c23_cout_delA R_CDtlatch_delA R_srdy_delA_ R_ctiO_ce R_cttO_cin R_ctrl_ce R_ctrl_cin 
R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R JcrJoadA R_fsm_ale_ R _fcm_mrdy_ R_fsm _last_ R_fsm_rst 
R_intO_dis R_int3_dis R_c01_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del 
R_srdy del_ R_ctrO_mux_sel R_ctrO_irden R_ctiO_cry R_ctiO_ordea R_ctrl_mux_sel R_ctrl_irden 
R_ctrl ~cry R_ctil_ofden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_clr2_orden R_ctr3_mux_sel 
R_ c tr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_iden R_gcr_rden 


R_sr_rden :bool) 

(I_ad_in I_be_ Cpujail Reset__cpu S_state Id ChannellD C_ss :wordn) 

(ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail 
CB_j)arity MB ..parity :bool) . 

_A_inst rep . 

(R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_mt3_disA, 

R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_, 
R_reg_selA, R_cttO, R_ctiO_ce, R_cttO_cin, R_ctrO_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin, 
R_ctrl_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, 
R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA Jatch, R_fsm_state, R_fsm_ale_, 
R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_intO_dis, R_int3_dis, R_cOl_cout_del, R_intl_eo, 
R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_teg_sel, R_ctiO_in, 
R_ctrOjnux_sel, R_ctrO_irden, R_ctiO_cry, R_ctiO_new, R_chO_out, R_etiO_orden, R_ctrl_w, 
R_ctrl_mux_sel, R_ctrl Jrden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_in, 
R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_ordeo, R_ctr3_in, 
R_ctr3_mux_sel, R_ctr3 Jrden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden. RJcrJoad, 
r _ icr_old, R_icr_maslc, R Jcr, R Jcrjden, R_ccr, R_ccrjden, R_gcr, R_gcr_rden, R_sr, 


R_sr_rden) 

(ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, l_be_, I_mrdy_, Disable_int, Disable_writes, 
Cpu_fail, Reset_cpu, Piujail, Pmmjail, S_state, Id, ChannellD, CB_parity, MB_parity, C_ss) = 


let new_R_fsm_stateA = 

((R_fsm_rst) => RI I 

((R_fsm_state = RI) => ((-R_fsm_ale J => RA I RI) I 
((R_fsm_state = RA) => ((~R_fsm_mrdy_) => RD I RA) I 
((-R_fsm_last_) => RI I RA)))) in 
let new_R_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale_) in 
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let new_R_fsm_srdy_ = ~((R_fsm_state = RA) A ~R_fsm_mrdy_) in 
let new_R_cntlatch_delA = R_cntlatch_del in 
let new_R_srd y_delA_ = R_srdy_del_ in 
let new R re g selA = R_reg_sel in 

let r_reg_sel = ( ( ~ oew_R_srdy_delA_) => (INCN 3 new_R_reg_selA) I new_R_reg_selA) in 
let rewrite = (~Disable_writes A R_wr A (new_R_fsm_stateA = RD)) in 
let reread = (~R_wr A ( ne w_R_f»m_state A = RA)) in 

let r_cir_wr01 = (r_write A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9)))) in 

let r_cir_wr23 = (r_write A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11)))) in 

let new_R_ctrO = ((R_ctrO_mux_sel) => R_ctrOJn I R_ctrO_new) in 

let new_R_ctrO_ce = (ELEMENT R_gcr (19)) in 

let new_R_ctr€_cin = T in 

let new_R_ctiO_outA = R_ctrO_new in 

let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in I R_ctrl_new) in 

let new_R_ctrl_ce = T in 

let new_R_ctrl_cm = R_ctiO_cry in 

let new_R_ctr l_outA * R_cfcrl_new in 

let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctx2Jn I R_ctr2_new) in 
let new_R_ctr2_ce = (ELEMENT R_gcr (23)) in 
let new_R_ctr2_cin = T in 
let new_R_ctr2_outA = R_ctr2_new in 

let new J*_ctr3 = ( (R_ctr3_mux_sel) => R_ctr3Jn I R_ctr3_new) in 

let new_R_ctr3_ce = T in 

let new_R_ctr3_cin = R_ctr2_cry in 

let new_R_c tr3_o u tA = R_ctr3_new in 

let newJtJcrJoadA = R_icr_load in 

let new_R_icr_oldA = 

( (( new_R_fsm_state A = RA) A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => RJcr I R.icr^oldA) in 
let new_R_icrA = 

((~(r_reg_sel = (WORDN 1))) => Andn rep (R_icr_old, RJcr^mask) I Orn rep (RJcr_old, RJcr_mask)) in 
let new_R_intO_en = (((ELEMENT R Jct (0)) A (ELEMENT RJcr (8))) V 
((ELEMENT RJcr (1)) A (ELEMENT RJcr (9))) V 
((ELEMENT RJcr (2)) A (ELEMENT RJcr (10))) V 
((ELEMENT RJcr (3)) A (ELEMENT RJcr (11 ))) V 
((ELEMENT RJcr (4)) A (ELEMENT RJcr (12))) V 
((ELEMENT R.icr (5)) A (ELEMENT RJcr (13))) V 
((ELEMENT RJcr (6)) A (ELEMENT RJcr (14))) V 
((ELEMENT RJcr (7)) A (ELEMENT RJcr (15)))) in 
let new JR JntO_disA = R_intO_dis in 

let new_R_int3_en = (((ELEMENT RJcr (16)) A (ELEMENT RJcr (24))) V 
((ELEMENT RJcr (17)) A (ELEMENT RJcr (25))) V 
((ELEMENT R_icr (18)) A (ELEMENT RJcr (26))) V 
((ELEMENT RJcr (19)) A (ELEMENT RJcr (27))) V 
((ELEMENT RJcr (20)) A (ELEMENT RJcr (28))) V 
((ELEMENT RJcr (21)) A (ELEMENT RJcr (29))) V 
((ELEMENT RJcr (22)) A (ELEMENT RJcr (30))) V 
((ELEMENT RJcr (23)) A (ELEMENT RJcr (31)))) in 
let new_R_int3_disA = R_int3_dis in 
let new_R_c01 _cout = R_ctrl_cry in 
let new_R_c01_cout_delA = R_c01_cout_del in 
let new_R_c23_cout = R_ctr3_cry in 
let new_R_c23_cout_delA = R_c23_cout_del in 
let new_R_busA Jatch = 

(((R_ctrO_irden) => R_ctiOJn I 
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((R_ctrO_orden) => R_ctrO_out I 
((R_ctrl Jrden) => R_ctrl_m I 
((R_ctrl_ordeo) => R_ctrl_out I 
((R_ctr2_irden) => R_ctr2_in I 
((R_ctr2_orden) => R_ctr2_out I 
((R_ctr3 Jrden) => R_ctr3 Jn I 
((R_ctr3_orden) => R_ctr3_out I 
((R_icr_rden) => R_icr I 
((R_ccr_rdeo) => R_ccr I 
((R_gcr_rden) => R_gcr I 
((R_sr_rden) => R_sr I ARBN))))))))))))) in 
let new_R_fsm_state = R_fsm_state in 
let new_R_f&m_ale_ = R_fsm_ale_ in 
let new_R_fsm_mrdy_ = R_fsm_mrdy_ in 
let new_R_f sm_las t_ = R_fsm_last_ in 
let new_R_fsm_rst = R_fsm_rst in 
let new_R_intO_dis = R_intO_dis in 
let new_R Jnt3_dis = R_int3_dis in 
let ne w_R_cO 1 _cout_del = R_c01_cout_del in 
let new_RJntl_en = R Jntl_en in 
let new_R_c23_cout_del = R_c23_cout_del in 
let new_R_int2_en = R_int2_en in 
let new_R_wr = R_wr in 
let new_R_cntlatch_del = R_cntlatch_del in 
let new_R_srdy_del_ = R_srdy_del_ in 
let new_R_reg_sel = R_reg_sel in 
let new_R_ctrO_in = R_ctrO_in in 
let new_R_ctrO_mux_sel = R_ctrOjnux_sel in 
let new_R_ctrO_irden = R_ctrO Jrden in 
let new_R_ctrO_cry = R_ctrO_cry in 
let new J*_ctrO_new = R_ctrO_new in 
let new_R_ctrO_out = R_ctrO_out in 
let new_R_ctrO_orden = R_ctrO_orden in 
let new_R_ctrl_in = R_ctrl Jn in 
let new_R_ctr l_mux_sel = R_ctrl_mux_sel in 
let new_R_ctr 1 Jrden = R_ctrl_irden in 
let new_R_ctrl_cry = R_ctrl_cry in 
let new_R_ctrl_new = R_ctrl_new in 
let new_R_ctrl_out = R_ctrl_out in 
let new_R_ctrl_orden = R_ctrl_orden in 
let new_R_ctr2_in = R_ctr2_in in 
let new_R_ctr2_mux_sel = R_ctr2_mux_sel in 
let new_R_ctr2_irden = R_ctr2 Jrden in 
let new_R_ctr2_cry = R_ctr2_cry in 
let new_R_ctr2_new = R_ctr2_new in 
let new_R_ctr2_out = R_ctr2_out in 
let new_R_ctr2_orden = R_ctr2_orden in 
let new_R_ctr3_in = R_ctr3_in in 
let new_R_ctr3_mux_sel = R_ctr3_mux_sel in 
let new_R_ctr3_irden = R_ctr3_irden in 
let new_R_ctr3_cry = R_ctr3_cry in 
let new_R_ctr3_new = R_ctr3_new in 
let new_R_ctr3_out = R_ctr3_out in 
let new_R_ctr3_orden = R_ctr3_orden in 
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let new_R_icr_load = R_icr_load in 

let new_R_icr_old = R_icr_old in 

let new_R_icr_mask = RJcr_mask in 

let new_R_icr = R_icr in 

let new_R_icr_rden = R_icr_rden in 

let new_R_ccr = R_ccr in 

let new_R_ccr_rden = R_ccr_rden in 

let new_R_gcr = R_gcr in 

let new_R_gcr_rden = R_gcr_rden in 

let new_R_sr = R_sr in 

let new_R_sr_rden = R_sr_rden in 

(new_R_fsm_steteA, new_R_fsm_cntlatch, new_R_fsm_srdy_, new_R_intO_eo, new_R_intO_disA, uew_RJnt3_en, 
new_R_int3_disA, ne w_R_cO 1 _co ut, Dew_R_cO 1 _cout_del A , new_R_c23_cout, new_R_c23_cou t_de!A , 
new_R_cntlatch_delA , 

new_R_srdy_delA_, new_R_reg_selA, new_R_ctiO t new_R_ctiO_ce, new_R_ctrO_cin, new_R_ctiO_outA, new_R_ctrl, 
new_R_ctrl_ce, new_R_ctr 1 _cin , new_R_ctrl _outA, new_R_ctr2, new_R_ctr2_ce, oew_R_ctr2_cin, new_R_ctr2_outA, 
uew_R_ctr3, new_R_ctr3_ce, new_R_ctr3_cin, new_R_ctr3_outA, new_RJcr_loadA, new_RJcr_oldA. new_R_icrA, 
new_R_busAJatch, new_R_fsm_state, new_R_fsm_ale_, new_R_fsm_mrdy_, new_R_fsmJast_, new_R_fsm_rst, 
new_R_intO_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_intl_en, new_R_c23_cout_del, new_R_int2_en, 
new_R_wr, 

new_R_cntlatch_del , new_R_srdy_del_, ne w_R_reg_sel , ne w_R_ctrO_in , ne w_R_ctrO_mux_sel , new_R_ctiO_irden , 
new_R_ctri)_cry, new_R_ctrO_new, new_R_ctrO_out, new_R_ctrO,orden, new_R_ctrl_in, new_R_ctrl_mux_sel, 
new_R_ctr 1 _irden , new_R_ctrl_cry, new_R_ctrl_new, new_R_ctrl_out, new_R_ctrl_orden, oew_R_ctr2_in, 
new_R_.ctr2_mux.sel, new_R_ctr2_irden, new_R_ctr2_cry, new_R_ctr2_new, new_R_ctr2_out, new_R_ctr2_orden, 
new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3_irden, new_R_ctr3_cry, new_R_ctr3_new, new_R_ctr3_out, 
new_R_ctr3_orden, new_R_icr_load, new.RJcr.old, new_R_icr_mask, new_R_icr, new_R_icr_rden, new_R_ccr, 
new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden)” 

);; 


% 

Output definition for Fhase-A instruction. 


■% 


let PH_A_out_def = new.definition 
(*PH_A_out\ 

“! (rep: A rep_ty) 

(R_fsm_stateA R_fsm_statc :rfsm_ty) 

(R_reg_seLA R_ctrO R_cdO_outA R_ctrl R_ctrl_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oklA 
RJcrA R_busAJatch R_reg_sel R_ctiOJn R_ctiO_new R_ctrO_out R_ctrl_in R_ctrl_new R_ctrl_out 
R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr 
R_ccr R_gcr R_sr :wordn) 

(R_fsm_cntlatch R_fsm_srdy_ R_intO_en R_intO_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA 
R_c23_cout R_c23_cout_delA R_cntlatcb_delA R_srdy_delA_ R_ctiO_ce R_ctrO_cin R_ctrl_ce R_ctrl_cin 
R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin RJcrJoadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst 
R_intO_dis R_int3_dis R_c01_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del 
R_srdy_del_ R_ctrO_mux_sel R_ctrO_irden R_ctrO_cry R_ctiO_orden R_ctrl_mux_sel R_ctrl Jrden 
R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel 
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden 
R_sr_rden :bool) 

(I_ad_in I_be_ Cpu.fail Reset_cpu S.state Id ChannellD C_ss :wordn) 

(ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disablejnt Disable, writes Piu.fail Pmm.fail 
CB_parity MB_parity :booI) . 

PH_A_out rep 
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(R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_in*0_disA, R_int3_en, R_int3_disA, 

R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_deLA, R_srdy_delA_, 

R_reg_selA, R_ctrO, R_ctrO_ce, R_ctrO_cin, R_ctrO_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin, 

R_ctr 1 _outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_etr3, R_ctr3_ce, R_ctr3_cin, 

R_ctr3_outA, RJcrJoadA, R_icr_oldA, R_icrA, RJbusAJatch. R_fsm_state, R_fsm_ale_, 

R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, RJntO_dis, R_int3_dis, R_c01_cout_del, RJntl_en, 

R_c23_cout_del, R Jnt2_en, R_wi, R_cntlateh_del, R_srdy_del_, R_reg_sel, R_cdOJn, 

R_ctrO_mi«_sel, R_ctrO_irden, R_ctrO_cry, R_ctrO_new, R_ctrO_out, R_ctiO_orden, R_ctrl_m, 

R_ctrl_mux_sel, R_ctrl_irden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_in, 

R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, 

R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, 

R_icr_old, R_icr_mask, RJcr, R_icr_rden, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, 

R_sr_rden) 

(ClkA, ClkB, Rst, I_ad_in, I_rale_, IJast_, I_be_, I_mrdy_, Disable_int, Disable_wntes, 

Cpu_fail, Reset_cpu, Piu_fail ( Pmm_fail, Sjstate, Id, ChannelED, CB^parity, MB^parity, C_ss) = 

let new_R_fsm_stateA = 

((R_fsm_rst) => RI I 

((R_fsm_state = RI) => ((~R_fsm_ale_) => RA I RI) I 
((R_fsm_state = RA) => ((~R_fsm_mrdyJ => RD I RA) I 
((~R_fsm_last_) => RI I RA)))) in 
let new_R_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale_) in 
let new_R_fsm_srdy_ = ~((R_fsm_state = RA) A ~R_fsm_mrdy_) in 
let new_R_cntlatch_delA » R_cntlateh_del in 
let new_R_srdy_delA_ = R_srdy_del_ in 
let new_R_reg_selA = R_reg_sel in 

let r_reg_sel = ((~new_R_srdy_delAJ => (INCN 3 new_R_reg_selA) I new_R_reg_seLA) in 
let rewrite = (~Disable_writes A R_wr A (new_R_fsm_stateA = RD)) in 
let reread = (-R_wr A (new_R_fsm_stateA = RA)) in 

let r_cir_wr01 = (r_ write A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9)))) in 

let r_cir_wr23 = (r_write A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11)))) in 

let new_R_ctrO = ((R_ctrO_mux_sel) => R„ctrO_in I R_ctfO_new) in 

let new_R_ctrO_ce = (ELEMENT R_gcr (19)) in 

let new_R_ctrO_cm = T in 

let new_R_ctrO_outA = R_ctrO_new in 

let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in I R_ctrl_new) in 

let new_R_ctrl_ce = T in 

let new_R_ctrl_cin = R_ctrO_cry in 

let new __R_ctrl_outA = R_ctrl_new in 

let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2 Jn I R_ctr2_new) in 
let new_R_ctr2_ce = (ELEMENT R_gcr (23)) in 
let new_R_ctr2_cin = T in 
let new_R_ctr2_outA = R_ctr2_new in 

let new_R_ctr3 = ((R_ctr3_mux_sel) => R_ctr3_in I R_ctr3_new) in 

let new__R_ctr3_ce = T in 

let new_R_ctr3_cin = R_ctr2_cry in 

let new_R_ctr3_outA = R_ctr3_new in 

let new _R _icr_lo ad A = R_icr_load in 

let new_R_icr_oldA = 

(((new_R_fsm_stateA = RA) A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => R_icr I R_icr_oldA) in 
let new_R_icrA = 

((-(r _jeg_sel = (WORDN 1 ))) => Andn rep (R _icr_old, R_icr_maslc) I Om rep (R_icr_old, R_icr_mask)) in 
let new_R_intO_en = (((ELEMENT R_icr (0)) A (ELEMENT R_icr (8))) V 
((ELEMENT RJcr (1)) A (ELEMENT RJcr (9))) V 
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((ELEMENT R_icr (2)) A (ELEMENT R_icr (10))) V 
((ELEMENT RJcr (3)) A (ELEMENT RJcr (11))) V 
((ELEMENT RJcr (4)) A (ELEMENT RJcr (12))) V 
((ELEMENT RJcr (5)) A (ELEMENT RJcr (13))) V 
((ELEMENT RJcr (6)) A (ELEMENT RJcr (14))) V 
((ELEMENT RJcr (7)) A (ELEMENT RJcr (15)))) in 
let new_R_intO_disA = R Jnt0_dis in 

let newJUnt3_en = (((ELEMENT RJcr (16)) A (ELEMENT RJcr (24))) V 
((ELEMENT RJcr (17)) A (ELEMENT RJcr (25))) V 
((ELEMENT RJcr (18)) A (ELEMENT RJcr (26))) V 
((ELEMENT RJcr (19)) A (ELEMENT RJcr (27))) V 
((ELEMENT RJcr (20)) A (ELEMENT RJcr (28))) V 
((ELEMENT RJcr (21)) A (ELEMENT RJcr (29))) V 
((ELEMENT RJcr (22)) A (ELEMENT RJcr (30))) V 
((ELEMENT RJcr (23)) A (ELEMENT RJcr (31)))) in 
let new Jt_Lnt3_disA — R Jnt3_dis in 
let new Jt_c0 1 _cout = R_ctrl_cry in 
let new Jt _c0 1 _cout_de 1A = R_c01_cout_del in 
let new_R_c23_cout = R_ctr3_cry in 
let new Jt_c23_cout_delA = R_c23_cout_del in 
let new_R_busA_latch = 

(((R_ctrO_irden) => R_ctrO_in I 
((R_ctiO_orden) => R_ctr0_out I 
((R_ctrl_irden) => R_ctrl Jn I 
((R_ctrl_orden) => R_ctrl_out I 
((R_ctr2_irden) => R_ctr2_in l 
((R_ctr2_ordeo) => R_ctr2_out I 
((R_ctr3 Jrden) => R_ctr3_in I 
((R_ctr3_orden) => R_ctr3_out I 
((RJcr_rden) => RJcr I 
((R_ecr_iden) => R_ccr I 
((R_gcr_rden) => R_gcr I 
((R_sr_rden) =o> R_sr I ARBN))))))))))))) in 
let new_R_fsm_state = R _fsm_state in 
let new_R_f sm_ale_ = R_fsm_ale_ in 
let new_R_fsm_mrdy_ = R_fsm_mrdy_ in 
let new_R_fsm_last_ = R JsmJast_ in 
let new_R_fsm_rst = R_fsm_rst in 
let new_R_intO_dis = R JntO_dis in 
let new Jl Jnt3_dis = RJnt3_dis in 
let new_R_c01_cout_del = R_c01_cout_del in 
let new_R_intl_en = RJntl_en in 
let new_R_c23_cout_del = R_c23_cout_del in 
let new_R_int2_en = R_int2_en in 
let new_R_wr = R_wr in 
let new_R_cntlatcb_del = R_cntlatch_del in 
let new_R_srdy_del_ = R_srdy_del_ in 
let new_R_reg_sel = R_reg_sel in 
let new_R_ctrO_in = R_ctr0_in in 
let new_R_ctrO_mux_sel = R_c&0_mux_sel in 
let new_R_ctrO_irden = R_ctrO_irden in 
let new_R_ctrO_cry = R_ctiO_cry in 
let new_R_ctrO_new = R_ctrO_new in 
let new_R_ctrO_out = R_ctiO_out in 
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let new_R_ctrO_orden = R_ctrO_orden in 

let new_R_ctrl_in = R_ctrl_in in 

let new_R_ctr l_mux_sel = R_ctrl_mux_sel in 

let new_R_ctrl_irden = R_ctrl_irden in 

let new_R_ctrl_cry = R_ctrl_cry in 

let new_R_ctrl_new = R_ctrl_new in 

let new_R_ctrl_out = R_ctrl_out in 

let new_R_ctr l_orden = R_ctrl_orden in 

let new_R_ctr2_in = R_ctr2_in in 

let new_R_ctr2_mux_sel = R_ctr2_mux_sel in 

let new_R_ctr2_irden = R_ctr2_irden in 

let new_R_ctr2_cry = R_ctr2_cry in 

let new_R_ctr2_new = R_ctr2_new in 

let new_R_ctr2_out = R_ctr2_out in 

let new_R_ctr2_orden = R_ctr2_orden in 

let new_R_ctr3_jn = R_ctr3_in in 

let new_R_ctr3_mux_sel = R_ctr3_mux_sel in 

let new_R_ctr3_irden = R_ctr3_irden in 

let new_R_ctr3_cry = R_ctr3_cry in 

let new_R_ctr3_new = R_ctr3_new in 

let new_R_cfcr3_out = R_ctr3_out in 

let new_R_ctr3_orden = R_ctr3_oiden in 

let new_R_icrJoad = R_icr_load in 

let new_R_icr_old = R_icr_old in 

let new_R_icr_mask = R_icr_mask in 

let new_R_icr = R_icr in 

let new_R_icr_rden = R_icT_rden in 

let new_R_ccr = R_ccr in 

let new_R_ccr_rden = R_ccr_rden in 

let new_R_gcr = R_gcr in 

let new_R_gcr_rden = R_gcr_rden in 

let new_R_sr = R_sr in 

let new_R_sr_rden = R_sr_rden in 

let I_ad_out = ((~new_R_wr A ((new_R_fsm_stateA = RA) V (new_R_fsm_stateA = RD))) => new_R_busA_latcb I ARBN) in 

let I_srdy_ = (((new_R_fsm_stateA = RD) V ((new_R_fsm_stateA = RA))) => new_R_fsm_srdy_ I ARB) in 

let IntO_ = ~(new_R_intO_en A ~new_R_intO_disA A ~Disable_int) in 

let Inti = (new_R_c01_cout A new_R_intl_en A ~Disable_int) in 

let Int2 = (new_R_c23_cout A new_R_int2_en A ~Disable_int) in 

let Int3_ — ~( new_R_int3_en A ~new_R_int3_disA A -Disablejnt) in 

let Ccr - new_R_ccr in 

let Led = (SUB ARRAY new_R„gcr (3,0)) in 

let Reset_error = (ELEMENT new_R_gcr (24)) in 

let Pmrn_in valid = (ELEMENT new_R_gcr (28)) in 

(I_ad_out, I_srdy_, Int0_, IntL Int2, Int3_, Ccr, Led, Reset_error, Pmmjnvalid)” 

);; 


Next-state definition for Phase-B instruction. 


•% 


let PH_B_inst_def = new_definition 
(‘PH_B_inst\ 
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44 1 (rep: A rep_ty) 

(R_fsm_stateA R_fsm_state :rfsm_ty) 

(R reg selA R_ctrO R_ctrO_outA R_ctrl R_ctrl_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA 
R_icrA R_busAJatch R_reg_sel R_ctrO_m R_ctrO_new R_ctxO_out R_ctrl_in R_ctrl_new R_ctrl_out 
R_ctr2_in R_ctr2_ncw R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_ier_old R_icr_mask R_icr 
R_ocr R_gcr R_sr rwordn) 

(R_fsm_cntlatch R_fsm_srdy_ R_intO_en R_intO_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_deIA 
R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_ R_ctrO_.ce R_ctr0_cin R_ctrl_ce R_ctrl_cin 
R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R_fsm _jnxdy_ R_fsm.Jast_ R_fsm_rst 
R_mfiO_dis R_int3_dis R_c01_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del 
R_srdy_del_ R_ctrO_mux_sel R_ctrO_irden R_ctrO_cry R_ctrO__orden R_ctrl_mux_sel R_ctrl_irden 
R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel 
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccrjrden R_gcr_rden 
R_sr_rden :bool) 

(I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannellD C_ss :wordn) 

(ClkA ClkB Rst I_rale_ IJast_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail 
CB_parity MB_parity :bool) . 

PH_B_inst rep 

(R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_int3_disA, 
R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_deLA, R_cntlatch_deLA, R_srdy_delA_ > 

R reg-SelA. R_ctrO, R_ctrO_ce, R_ctrO_cin, R_ctrO_outA» R_ctrl , R_ctrl_ce, R_ctrl_cin, 
R_ctrl_outA, R_ctr2 ( R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, 
R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latcb, R_fsm_state, R_fsm_ale_, 
R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_intO_dis, R_int3_dis, R_c01_cout_del, R_intl_en, 
R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctrO_in, 

R_ctrO _jnux_sel, R_ctrO_trden, R_ctrO_cry, R_ctrO_new, R_ctrO_out, R_ctrO_orden, R_ctrl_in, 

R_ctrl _jnux_sel, R_ctrl_irden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_m, 

R_ctr2 _ / mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out* R_ctr2_orden, R_ctr3_in, 

R_ctr3 jdqux_sc 1, R_ctr3_irden, R_ctr3_cry, R_ctr3_oew, R_ctr3_out, R_ctr3_orden, R_icr_load, 
R_icr_old, R_icr _mask, R_icr, R_icr_rdeo, R_ccr, R_ccr _rden, R_gcr, R_gcr_rden, R_sr, 

R_sr_rden) 

(ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, 

Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannellD, CB_parity, MB_parity, C_ss) = 

let new_R_wr = ((-I_rale_) => (ELEMENT I_ad_in (27)) I R_wr) in 
let new_R_srdy_del_ = R_fsm_srdy_ in 
let new_R _reg_sel = 

((-I_rale_) => (SUB ARRAY I_ad_in (3,0)) I 
((~R_srdy_delA_) => (INCN 3 R_reg_selA) I R_reg_selA)) in 
let new_R_cntlatcb_del = R_fsm_cntlatch in 

let r_reg_sel = ((~R_srdy_delA_J => (INCN 3 R_reg_selA) I R_reg_selA) in 
let rewrite = (~Disable_writes A new_R_wr A (R_fsm_stateA = RD)) in 
let r_read = (~new_R_wr A (R_fsm_stateA = RA)) in 

let r_cir_wi01 = (rewrite A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9)))) in 

let r_cir_wr23 = (rewrite A ((r_reg_sel = (WORDN 10)) V (r reg sel = (WORDN 11)))) in 

let new_R_ccr = ((rewrite A (r_reg_sel = (WORDN 3))) => I_ad_in I R_ccr) in 

let new_R_ccr_rden = (r_read A (r regsel = (WORDN 3))) in 

let new_R_gcr = ((r_write A (r _j-eg_sel = (WORDN 2))) => I_ad_in I R_gcr) in 

let new_R_gcr_rden = (reread A (r_regjsel = (WORDN 2))) in 

let new_R_ctrO_in = ((r_ write A (r_reg_sel = (WORDN 8))) => I_ad_in I R_ctrO_in) in 

let new_R_ctrO_mux_sel = (r_cir_wr01 V ((ELEMENT new_R_gcr (16)) A R_c01_cout)) in 

let new_R_ctrO_irden == (reread A (r_reg_sel = (WORDN 8))) in 

let new_R_ctrO_new = ((R_ctrO_ce A R_ctrO_cin) => (INCN 31 R_ctrO) I R_ctrO) in 

let new_R_ctrO_cry = (R_ctrO_ce A R_ctrO_cin A (ONES 31 R_ctrO)) in 
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let new_R_ctrO_out = ((R_fsm_cntlatch) => R_ctrO_outA I R_ctiO_out) in 

let new_R_ctrO_orden = (r_read A (r_reg_sel = (WORDN 12))) in 

let new_R_ctrl_in = ((r_wnte A (r_reg_sel = (WORDN 9))) => I_ad_in I R_ctrl_in) in 

let new_R_ctr 1 _mux_sel = (r_cii_wr01 V ((ELEMENT new_R_gcr (16)) A R_c01_cout)) in 

let new_R_ctrl Jrden = (r_read A (r_reg_sel = (WORDN 9))) in 

let new_R_ctrl_new = ((R_ctrl_ce A R.ctrl.cin) => (INCN 31 R.ctrl) I R_ctrl) in 

let new_R_ctrl_cry = (R_ctr l_ce A R_ctr l_cin A (ONES 3 1 R_ctrl )) in 

let new_R_ctrl_out = ((R_cntlatch_delA) => R_ctrl_outA I R_ctrl_out) in 

let new_R_ctrl_orden = (r_read A (r_reg_sel = (WORDN 13))) in 

let new_R_ctr2_in = ((rewrite A (rreg_sel = (WORDN 10))) => I_ad_in I R_ctr2_in) in 

let new_R_ctr2_tnux_sel = (r_cir_wr23 V ((ELEMENT new_R_gcr (20)) A R_c23_cout)) in 

let new_R_ctr2_irden * (r_read A (r_reg_sel = (WORDN 10))) in 

let new_R_ctr2_new = ((R_ctr2_ce A R_ctr2_cin) => (INCN 31 R_ctr2) I R_ctr2) in 

let new_R_ctr2_cry = (R_ctr2_ce A R_ctr2_cin A (ONES 31 R_ctr2)) in 

let new_R_ctr2_out = ((R_fsm_cntlatch) => R_ctr2_outA I R_ctr2_out) in 

let new_R_ctr2_orden = (reread A (r_reg_sel = (WORDN 14))) in 

let new_R_ctr3_in = ((rewrite A (r_reg_sel = (WORDN 11))) => I_ad_in I R_ctr3_in) in 

let newjCctr3_mux_sel = (r_cir_wr23 V ((ELEMENT new_R_gcr (20)) A R_c23_cout)) in 

let new_R_ctr3_irden = (reread A (r_reg_sel = (WORDN 11))) in 

let new_R_ctr3_new = ((R_ctr3_ce A R_ctr3_cin) => (INCN 31 R_ctr3) I R_ctr3) in 

let new_R_ctr3_cry = (R_ctr3_ce A R_ctr3_cin A (ONES 31 R_ctr3)) in 

let new_R_ctr3_out = ((R_cndatch_delA) => R_ctr3_outA l R_ctr3_out) in 

let new_R_ctr3_orden = (reread A (r_reg_sel = (WORDN 15))) in 

let newJUcrJoad = (rewrite A ((r.reg^sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let new_R_icr_old = 

«r_ write A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => R_icr_oldA I R_icr_old) in 
let new_R_icr_mask = 

((r.write A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => I_ad_in I R_icr_mask) in 
let new_R icr = ((R icrJoadA) => RJcrA I R_icr) in 

let new_R_icr_rden = ((R_fsm_stateA = RA) A «r_reg_sel = (WORDN 0)) V (rjegjsel = (WORDN 1)))) in 

let sr28 = (ALTER ARBN (28) MB_parity) in 

let sr28_25 = (MALTER sr28 (27,25) C_ss) in 

let sr28_24 = (ALTER sr28_25 (24) CB_parity) in 

let si28_22 = (MALTER sr28_24 (23,22) ChannellD) in 

let sr28_16 = (MALTER sr28_22 (21 ,16) Id) in 

let sr28_12 = (MALTER sr28_16 (15,12) S_state) in 

let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in 

let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in 

let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in 

let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in 

let new_R_sr = ((R_fsm_cntlatch) => sr28_0 I R_sr) in 

let new_R_sr_rden = (r_read A (r reg sel = (WORDN 4))) in 

let new_R_intO_dis = R_intO_en in 

let new_R_int3_dis = R_int3_en in 

let new_R_c01 _cout_del = R_c01_cout in 

let new_R_c23_cout_del = R_c23_cout in 

let new_R_intl_en = 

((((ELEMENT new_R_gcr (18)) A (r_cir_wi01 V (R_c01_cout A (ELEMENT new_R_gcr (16))))) 

A -(-(ELEMENT new_R_*cr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => T I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wi01 V (R_c01_cout A (ELEMENT new_R_gcr (16))))) 

A (-(ELEMENT new_R_gcr ( 18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => F I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wi01 V (R_c01_cout A (ELEMENT new_R_gcr (16))))) 

A -(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_*cr (17)) A R_c01_cout_del))) => R_intl_en I ARB))) in 
let new_R_int2_en = 
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((((ELEMENT new.R^gcr (22)) A (r_cir_wr23 V (R_c23_cont A (ELEMENT new_R_gcr (20))))) 

A -(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new.R^gcr (21)) A R_c23_cout_del))) => T i 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_gcr (20))))) 

A (-(ELEMENT new_R_^cx (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_couLdel))) => F I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_gcr (20))))) 

A -(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new.R^gcr (21)) A R_c23_cout_del))) => R_int2_en I ARB))) in 
let new_R_fsm_state = R_fsm_stateA in 
let ncw_R_fsm_ale_ = I_rale_ in 
let new_R_fsm_mrdy_ = I_mrdy_ in 
let new_R_fsm_last_ = I_la*L in 

let new_R_fsm_rst = Rst in 

let new_R_fsm_stateA = R_fsm_stateA in 

let new_R_fsm_cntlatch = R_fsm_cntlatch in 

let new_R_fsm_srdy_ = R_fsm_srdy_ in 

let new_R_intO_en = R_int0_en in 

let new_R_intO_disA = R_mtO_disA in 

let new_R_int3_en = R_int3_en in 

let new_R_int3_disA = R_int3_disA in 

let new_R_c01_cout = R_c01_cout in 

let new_R_cO 1 _cout_delA = R_cO 1 _co u t_del A in 

let new_R_c23_cout = R_c23_cout in 

let new_R_c23_cout_deLA = R_c23_co u t_del A in 

let new_R_cntlatch_delA = R_cntlatch_.de 1A in 

let new_R_srdy_delA_ = R_srdy_delA_ in 

let new_R_reg_seIA = R_reg_selA in 

let new_R_ctrO = R_ctr0 in 

let new_R_ctrO_ce = R_ctr0_ce in 

let new_R_ctrO_cin = R„ctr0_cin in 

let new_R_ctrO_outA = R_ctrO_outA in 

let new_R_ctrl = R_ctrl in 

let new_R_ctrl_ce = R_ctrl_ce in 

let new_R_ctrl_cin = R_ctrl_cin in 

let new_R_ctr 1 _o utA = R_ctrl_outA in 

let new_R_ctr2 = R_ctr2 in 

let new_R_ctr2_ce = R_ctr2_ce in 

let new_R_ctr2_cin = R_ctr2_cin in 

let new_R_ctr2_outA = R_ctr2_outA in 

let new_R_ctr3 = R_ctr3 in 

let new_R_ctr3_ce = R_ctr3_ce in 

let new_R_ctr3_cin - R_ctr3_cin in 

let new_R_ctr3_outA = R_ctr3_outA in 

let new_R_icr_loadA » R_icr_loadA in 

let new_R_icr_o!dA = R_icr_oldA in 

let new_R_icrA = R_icrA in 

let new_R_busA_latch = R_busA_latch in 

( new_R_fsm_state A, new_R_fsm_cntlatch, oew_R_fsm_srdy_ > new_R_intO_en, new_R_intO_dis A , new_R_int3_en, 
new_R_int3_disA, new_R_c01_cout, new_R_cO 1 _cout_del A, new_R_c23_cout, new_R_c23_cout_delA, 
new_R_cntlateh_delA, 

new_R_srd y_deLA_, new_R_reg_sel A , new_R_ctrO, new_R_ctrO_oe, new_R_cttO_cin, new_R_cti€_outA, new_R_ctrl, 
new_R_ctrl_ce, new_R_ctrl_cin, new_R_ctr 1 _outA, new_R_ctr2, new_R_ctr2_ce, new_R_ctr2_cin, new_R_ctr2_outA, 
new_R_ctr3, new_R_ctr3_ce > new_R_ctr3_cin, new_R_ctr3_outA, new_R_icr_loadA, new_R_icr_oldA, new_R_icrA, . 
new_R_b us A_latch , new_R_fsm_state, new_R_fsm_ale_, new_R_fsm _mrdy_, new_R_fsm_last_, new_R_fsm_rst, 
new_R_intO_dis, new_R_int3_dis, ne w_R_cO 1 _cou t_del, new_R_intl_en, new_R_c23_cout_del, new_R_int2_en, 
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new_R_wr, . 

new_R_cntlatch_del, new_R_srdy_del_, new_R_ieg_sel, new_R_ctiO_in. new_R_ctrO_mux_sel. oew_R_ctrO_nden, 
new_R_ctrO_cry, new_R_ctiO_Dew, new_R_ctrO_out, new_R_ctiO_orden, new_R_ctrl_in, new_R_ctrl_mux_sel, 
new_R_ctrl _irden, new_R_ctrl_cry, new_R_ctrl_new, new_R_ctrl_out, oew_R_ctrl_orden, new_R_ctr2_in, 
new_R_ctr2_mux_sel, new_R_ctr2_irden, new_R_ctr2_cry, new_R_ctr2_new, new_R_cti2_out, new_R_ctr2_oiden, 
new_R_ctr3_in, new_R_ctr3_mux_sel, Dew_R_ctr3_irden, new_R_ctr3_cry, new_R_ctr3_new, new_R_ctr3_out, 
new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_icr_mask, new_R_icr. new_R_icr_rden, new_R_ccr, 
new_R_ccr_rden , new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden)” 

);; 

% 

Output definition for Phase- B instruction. 


let PH_B_out_def = new_definition 
( 4 PH_B_out 4 , 

44 1 (rep^ep^ty) 

(R_fsm_stateA R_fsm_state :rfsm_ty) 

(R_ re g__selA R_ctrO R_ctrtLoutA R_ctrl R_ctil_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3.outA R_icr_oldA 
R _icrA R_busA_latcb R_reg_sel R_cbO_in R_ctiO_new R_ctrO_out R_c(rl_in R_ctrl_new R_ctrl_out 
R~ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_tcr 
R_ccr R_gcr R_sr :wordn) 

(R_fsm_cntlatch R_fsm_srdy_ R_intO_en R_intO_disA R_int3_en R_int3_disA R_e01_cout R_c01_cout_delA 
R_c23_cout R_c23_cout_deLA R_cntlatch_delA R_sidy_delA_ R_ctrO_ce R_cbO_cin R_ctrl_ce R_ctrl_ciD 
R~ctr2~ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R Jcr JoadA R_fsm_ale_ R_fsm_mrdy_ R _fsm_last_ R_fsm_rst 
R_intO_dis R_int3_dis R_c01_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cntiatch_del 
R_srdy_del_ R_ctrO_mux_sel R_ctrO_irden R_ctiO_cry R_ctrO_orden R_ctrl_mux_sel R_ctrl_irden 
R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel 
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_k>ad R _icr_rden R_ccr_rden R_gcr_rden 
R_sr_rden :bool) 

(I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannellD C_ss ;wordn) 

(ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disablement Disable_ writes Piu_fail Pmm_fail 
CB__parity MB_panty :bool) . 

PH_B_out rep 

(R_fsm_stateA, R„fsm_cntlatch. R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_mt3_jiisA, 
R_c01_cout, R_cO l_cout_del A, R_c23_cout, R_c23_cout_delA. R_cntlateh_delA, R_srdy_delA_, 
R_reg_selA, R_ctrO, R_ctrO_ce, R_ctrO_cin, R_ctrO_outA, R_c(rl,R_ctrl_ce, R_ctrl_cin, 
R_ctrl_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, 
R_ctr3_outA, R _icr_loadA, R_icr_oldA, R_icrA, R_busA_lateh, R_fsm_state, R_fsm_ale_, 
R_fsm_mniy_, R_fsm_last_. R_fsm_rst, R_intO_dis, RJnt3_dis, R_c01_cout_del, R_intl_en, 
R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctrO_in, 
R_cdO_mux_sel , R_ctrO_iiden, R_ctrO_cry, R_ctrO_new, R_cbO_out, R_ctiO_orden, R_ctrl_in, 
R_ctrl_mux_sel, R_ctrl_iiden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_in, 
R_ctr2_mux_sel. R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctf2_out, R_ctr2_orden, R_ctr3_in, 
R_ctr3_mux_sel, R_cti3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, RJcrJoad, 

R icr old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R_ccr_fden, R_*cr, R_gcr_rden, R_sr, 

R_sr_fden) 

(ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disabtejnt, Disable_wntes, 

Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannellD, CB_parity, MB_panty, C_ss) = 

let new_R_wr = ((-IjaleJ => (ELEMENT I_ad_in (27)) I R_wr) in 
let new_R_sfdy_del_ = R_fsm_srdy_ in 
let new_R_reg_sel = 

((-I_rale_) => (SUB ARRAY I_ad_in (3,0)) I 
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((~R_srdy_delA_) => (INCN 3 R reg selA) I R_reg_selA)) in 
let new_R_cntlatch_del = R_fsm_cntlatch in 

let r_reg_sel = ((~R_srdy_delAJ => (INCN 3 R _reg_selA) I R _jeg_se!A) in 
let r_write = (~Disable_writes A new_R_wr A (R_fsm_stateA = RD)) in 
let r_read = (-ncw_R_wr A (R_f8m_stateA = RA)) in 

let r_cir_wr01 = (r.write A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9)))) in 

let r_cir_wr23 = (rewrite A ((r_reg_sel = (WORDN 10)) V (r_re&_sel = (WORDN 11)))) in 

let new_R_ccr = ((r_wnte A (r_reg_sel = (WORDN 3))) => I_ad_in I R_ccr) in 

let new_R_ccr_rden = (reread A (r_reg_sel = (WORDN 3))) in 

let new_R_gcr = ((r_wnte A (r_reg_sei = (WORDN 2))) => I_ad_m I R_gcr) in 

let new_R_gcr_rden = (r_read A (r_reg_sel = (WORDN 2))) in 

let new_R_ctrO_in = ((rewrite A (r_reg_sel = (WORDN 8))) => I_ad_in I R_ctrO_in) in 

let new_R_ctrO_mux_sel = (r_cir_wr01 V ((ELEMENT new_R_gcr (16)) A R_c01_cout)) in 

let ne w_R_c trO_irden = (r_read A (r_reg_sel = (WORDN 8))) in 

let new_R_ctrO_new = ((R_ctrO_ce A R_ctrO_cin) => (INCN 31 R_ctiO) I R_ctrO) in 

let new_R_ctiO_CTy = (R_ctrO_ce A R_cfcrO_cin A (ONES 31 R_ctrO)) in 

let new_R_ctrO_out = ((R_fsm_cntlatch) => R_ctrO_outA I R_ctrO_out) in 

let new_R_ctrO_orden = (reread A (r_reg_sel = (WORDN 12))) in 

let new_R_ctrl_in = ((r„ write A (r_reg_sel * (WORDN 9))) => I_ad_in I R_ctrl_in) in 

let new_R_ctr l_mux_sel m (r_cir_wr01 V ((ELEMENT new_R_gcr (16)) A R_c01_cout)) in 

let new_R_ctr l_irdeo = (reread A (r_reg_sel = (WORDN 9))) in 

let new_R_ctrl_new = ((R_ctrl_ce A R_ctrl_cin) => (INCN 31 R_ctrl) I R_ctrl) in 

let new_R_ctrl_cry = (R_ctrl_ce A R_ctrl_cxn A (ONES 31 R_ctrl )) in 

let newJ*_ctrl_out = ((R_cntlatch_delA) => R_ctrl_outA I R_ctrl_out) in 

let new_R_ctr 1 _orden = (reread A (r_reg_sel = (WORDN 13))) in 

let new_R_ctr2_in = ((r_ write A (r_reg_sel = (WORDN 10))) => I_ad_in I R_ctr2_in) in 

let new_R_ctr2_nnix_sel = (r_cir_wr23 V ((ELEMENT new_R_gcr (20)) A R_c23_cout)) in 

let new_R_ctr2_irden = (r_iead A (r_reg_sel * (WORDN 10))) in 

let new_R_ctr2_new = ((R_ctr2_ce A R_ctr2_cm) => (INCN 31 R_ctr2) I R_ctr2) in 

let new_R_ctr2_cry = (R_ctr2_ce A R_ctr2_cin A (ONES 31 R_ctr2)) in 

let new_R_ctr2__out = ((R_fsm_cntlatch) => R_ctr2_outA I R_ctr2_out) in 

let new_R_ctr2_orden = (reread A (r_reg_sel = (WORDN 14))) in 

let new_R_ctr3_in = ((r_ write A (r_reg_sel = (WORDN 11))) => I_ad_in I R_ctr3 Jn) in 

let new_R_ctr3_mux_sel = (r_cir_wr23 V ((ELEMENT new_R_gcr (20)) A R_c23_cout)) in 

let new_R_ctr3_irdeo = (reread A (r_reg_sel = (WORDN 11))) in 

let new_R_ctr3_new = ((R_ctr3_ce A R_cir3_cin) => (INCN 31 R__ctr3) I R_ctr3) in 

let new_R_ctr3_cry = (R_ctr3_ce A R_ctx3_cin A (ONES 31 R_ctr3)) in 

let new_R_ctr3_out = ((R_cntlatch_delA) => R_ctr3_outA \ R_ctr3_out) in 

let new_R_ctr3_orden = (r_read A (r_reg_sel = (WORDN 15))) in 

let new_R_icT_load = (r_write A ((r _reg_sel = (WORDN 0)) V (r__reg_sel = (WORDN 1)))) in 
let new_R_icr_old = 

((rewrite A ((r.re^sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => RJcr_oldA I RJcr_old) in 
let new_R_ici _mask = 

((rewrite A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1 )))) => I_ad_in I R_icr_mask) in 
let new_R_icr = ((R_icr_loadA) => R JcrA I R_icr) in 

let new_R_icr_rden = ((R_fsm_stateA = RA) A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 

let sr28 = (ALTER ARBN (28) MB_parity) in 

let sr28_25 = (M ALTER sr28 (2125) C_ss) in 

let sr28_24 = (ALTER sr28_25 (24) CB j>arity) in 

let sr28_22 = (M ALTER sr28_24 (23.22) ChannellD) in 

let sr28_16 = (M ALTER sr28_22 (21.16) Id) in 

let sr28_12 = (M ALTER sr28_16 (15.12) S_state) in 

let sr28_9 = (ALTER sr28_12 (9) Pmm.fail) in 

let si28_8 = (ALTER sr28_9 (8) Piu.fail) in 
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let sr28_2 = (MALTER $r28_8 (3,2) Reset^cpu) in 

let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in 

let new_R_sr = ((R_fsm_cn Hatch) => sr28_0 I R_sr) in 

let new_R_sr_rden = (r_read A (r_reg_sel = (WORDN 4))) in 

let new_R_intO_dis = R_intO_en in 

let new_R_int3_dis = R_int3_en in 

let new_R_cO 1 _cout_del = R_c01_cout in 

let new_R_c23_cout_del = R_c23_cout in 

let new_R_intl_en = 

((((ELEMENT new_R_gcr (18)) A (r_cir_wi01 V (R_c01_cout A (ELEMENT new_R_gcr (16))))) 

A -(-(ELEMENT oew_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_cOI_cout_del))) => T I 
((-((ELEMENT new_R_gcr ( 1 8)) A (r_cir_wr01 V (R_c01_cout A (ELEMENT new_R_gcr ( 1 6))))) 

A (-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => F I 
((-((ELEMENT new_R_gcr ( 1 8)) A (r_cir_wr01 V (R_c01_cout A (ELEMENT new_R_gcr (16))))) 

A -(-(ELEMENT new_R_£cr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => R_intl_en I ARB))) in 
let new_R_int2_en = 

((((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_£cr (20))))) 

A -(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => T I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_gcr (20))))) 

A (-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => F I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_gcr (20))))) 

A -(-(ELEMENT new_R_£cr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => R_int2_en I ARB))) in 
let new_R_fsm_state = R_fsm_stateA in 
let new_R_fsm_ale_ = I_rale_ in 
let new_R_fsm_mrdy_ = I_mrdy_ in 
let new_R_fsm_last_ = I_last_ in 
let new_R_fsm_rst = Rst in 
let new_R_fsm_stateA = R_fsm_stateA in 
let new_R_fsm_cntlatch = R_fsm_cn Hatch in 
let new_R_fsm_srdy_ = R_fsm_srdy_ in 
let new_R_intO_en = R_intO_en in 
let new_R_intO_disA = R_intO_disA in 
let new_R_int3_en = R_int3_en in 
let new_R_int3_disA = R_int3_disA in 
let new_R_c01_cout = R_c01_cout in 
let new_R_c01 _cout_delA = R_cO 1 _cout_del A in 
let new_R_c23_cout = R_c23_cout in 
let new_R_c23_cout_delA = R_c23_co ut_del A in 
let new_R_cntlatch_delA = R_cntlatch_delA in 
let new_R_srdy_delA_ = R_srdy_delA_ in 
let new_R_reg_selA = R_reg selA in 
let new_R_ctrO = R_ctrO in 
let new_R_ctrO_ce = R_ctrO_ce in 

let new_R_ctrO_cin - R_ctiO_cin in 

let new_R_ctrO_outA = R_ctrO_outA in 
let new_R_ctrl = R_ctrl in 
let new_R_ctrl_ce = R_ctrl_ce in 
let new_R_ctrl_cin - R_ctrl_cin in 
let new_R_ctr l_outA = R_ctrl_outA in 
let new_R_ctr2 = R_ctr2 in 
let new_R_ctr2_ce = R_ctr2_ce in 
let new_R_cdr2_cin = R_ctr2_cin in 
let new_R_ctr2_outA = R_ctr2_outA in 
let new_R_ctr3 = R_ctr3 in 
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let new_R_ctr3_ce = R_ctr3_ce in 
let new_R_ctr3_cin = R_ctr3_cin in 
let new_R_ctr3_outA = R_ctr3_outA in 
let new_R_icr_loadA = R_icr_loadA in 
let new_R_icr_o IdA = R_icr_oldA in 
let new_R_icrA = R_icrA in 
let new_R_busA_latch = R_busA_latch in 

let I_ad_out = ((~new_R_wr A ((new_R_fsm_stateA = RA) V (new_R_fsm_stateA = RD))) => ne w_R_bus A_1 atch I ARBN) in 

let I_srdy_ = (((new_R_fsm_stateA = RD) V ((new_R_fsm_stateA = RA))) => new_RJsm_srdy_ I ARB) in 

let IntO_ = ~(new_R_intO_en A ~new_R_intO_disA A ~Disable_int) in 

let Inti = (new_R_c01_cout A new_R_intl_cn A ~Disable_int) in 

let Int2 = (new_R_c23_cout A new_R_int2_cn A ~Disable_int) in 

let lnt3_ = ~(new_R_int3_en A ~new_R_int3_disA A ~Disable_int) in 

let Ccr = new_R_ccr in 

let Led = (SUBARRAY new_R_gcr (3.0)) in 

let Reset_error = (ELEMENT new_R_gcr (24)) in 

let Pmm_in valid = (ELEMENT new_R_gcr (28)) in 

(I_ad_out, I_srdy_> IntO_, Inti, Int2, Int3__, Ccr, Led, Reset_error, Pmmjn valid)” 

);; 

close_theory();; 
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C.4 C Port Specification 


File: 

c_phase.ml 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the phase-level specification of the C-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M-language simulation program using a translator 
written by PJ. Windley at the University of Idaho. 


set_search_path (search_path() @ [‘/home/titan3/dfura^tep/piu^ol/lib/‘D;; 


system 'rm c_phase.th‘;; 


new_theory “c_phase*;; 
loadf ‘abstract 1 ;; 

map new_paxent [‘caux_def‘;‘aux_def‘;‘array_def“; wordn_def ];; 

let MSTART = “WORDN 4”;; 
let MEND = “WORDN 5”;; 
letMRDY = “WORDN 6”;; 
let MWAIT = “WORDN 7”;; 
let MABORT = “WORDN 0”;, 

let SACK = “WORDN 5’’;; 
let SRDY = “WORDN 6”;; 
let SWAIT = “WORDN 7”;; 
let SABORT = “WORDN 0”;; 

let c_state_ty = “:(cmfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool# 

wordn#bool#bool#bool#bool#bool# 

csfsm_ty#wordn#bool#bool#bool#bool#bool#bool#bool#bool#boo»bool#bool#bool# 

cefsm_ty#bool# 

bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool#l>ool#bool#wonln#wordn#woidn# 

cmfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool# 

csfsm_ty#bool#bool#bool#boo»bool#bool#woTdn# 

cefsm_ty#bool#bool#bool#bool#bool#bool# 

bool#wordn#bool#bool#bool#bool#bool#wordD#bool#bool#bool#bool#bool#bool#bool# 

bool#bool#wordD#wordn#wordn) n - l ; 

let c_state = “((C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest. C_mfsm_ma3, C_mfsm_ma2, 
C_mfsm_mal, 

C_mfsm_maO,C_mfsm_mdl ,C_mfsm ^<K) ( C_mfsmJad_en_m,C_mfsm - m.cout_sell,C_mfsm_m_cout_selO, 

C_mfsm_ms,C_mfsm_rqt_,C_mfsm_cgDt_ f C_mfsm_cm_en,C_mfsm_abort_le_en_,C_mfsm_mpanty, 

C_sfsm_stateA,C_sfsm_ss,C_sfsm_iad_eD_s > C_sfsm_sidle,C_sfsm_slock,C_sfsm_sal,C_sfsm_saO, 
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C_sfsm_sale, C_sfsm_sd 1 ,C_sfsm_sdO,C_sfsm_sack,C_sfsm_sabort,C_sfsm_s_cout_selO,C_sfsni_sparity, 
C_efsm_stateA,C_efsm_srdy_en, 

C_clkAA,C_sidle_delA,C_mrqt_delA,C_last_inA_,C_ssA,C_boldA_,C_cout_0_le_deLA # 
C_cin_2JeA ! C_inrdy_delA_,C_iad_en_s_delA,C_wrdyA,CjTdyA,C_iad_out,C_ala0 1 C_a3a2, 
C_mfsm_state,Cjnfsm_srdy_en,C _jnfsm_D,C_mfsm _ - grant,C_mfsin^rst,C_mfsin_busy p C_infsm_write, 

C _mfsm_crqt_,C_mfsm_bold_,C jmfsmJast^C_mfsmJock_,C_mfsm_ss,C_mfsm_mvalid, 

C_s fsm_s tate ,C_sfsm_D ,C_sf sm_gran t, C_s fsm_rs t, C_sf sm_ write, C_sfsm_addres sed ,C_s f sm_hld a_, C_s f sm_ms , 
C_efsm_state,C_efsm_caie_,C_efsm_last_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_ef&m_rst l 
C_wr,C_sizewrbe ,C_clkA ,C_sidle_del,C^mrqt_del 1 C_la$t_in_ > C_lock w in_,C_ss,C__last_out_, 
C_hoW_,C_cout_0_le_del,C_cin_2_le,C_inrdy_deI_,C_iad_en_s_del 1 C_wrdy ) 

C_rrdy,C_parity, C_source, C_data_in ,C_iad_m ) 

A c_state_ty)”;; 

let c_env_ty = ** : ( wordi>#wordn#bool#t>ool#bool#bool#bool#bool#bool#bool#bool# 

word D#wordD#wordD#wordn#bool# boo l#bool#bool#wordD#wordD#bool#bool#wordn#bool)’ t ;; 
let c_env = “((I_ad_in, I_be_m_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, 

I_lock_, I_cale_, I_hlda_, I_crqt_, 

CB_rqt_m_, CB_ad_m, CB_ms_in, CB_ss_in, 

Rst, ClkA, ClkB, CM), Id, ChannellD, Pmm_failure, Piu_invalid, Ccr, 

Reset_error) 

: A c_env_ty)”;; 

let c_out_ty = ,4 :(bool#bool#bool#bool#bool#bool#bool#wordD#wordii# 
boo l#wordn#wordn#wordD#wordD#bool#bool)’ ; 
let c_out = “((I_cgnt_, I _jnrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, 

I_ad_out, I_be_out_, 

CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity) 

: A c_out_ty)";; 

let rep_ty = abstract_type ‘aux_def ‘Andn*;; 

% 

Next-state definition for Phase-A instruction. 


let PH_A_inst_def = new_definition 
(*PH_A_inst\ 

“! (repr^ep^ty) 

(C_mfsm_stateA C_mfsm_state :cmfsm_ty) 

(C_sfsm_stateA C_sfsm„state :csfsm_ty) 

(C_efsm_stateA C_efsm_state :cefsm__ty) 

(C_mfsm_ms C_sfsm_ss CjbsA C_iad_out C_alaO C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss 
C_source C_data_in C_iad_in :wordn) 

(C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal 
C_mfsm_maO C_mfsm_md 1 C_mfsm_mdO C _mfsm_iad_en _jn C_mf$m__m_cout_sell C_mfsm_m_cout_selO 
C_mfsm_rqt_ C _mfsm_cgnt_ C_mfsm_cm„en C jnfwn_abort_le_en_ C_jnfsm_mparity 
C_sfstn_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO 

C_sfsm_sale C_sfsm_sdl C_sfsm_sdO C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_selO C_sfsm_spanty 
C_ef sm_srd y _eo 

C_clkAA C_sidle_delA C _jnrqt_delA C Jast_inA_ C_holdA_ C_cout_0_le_delA 
C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA 
C_mf sm_srd y_en C_mfsm w D C_mfsm _grant C_mfsm_rst C _mfsm_bu8y C _jnfsm_write 
C_mfsm_crqt_ C_mfsm_h°ld_ C_mfsm_Iast_ C_mfsm_lock_ C_mfsm_in valid 
C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_ write C_sfsm_addressed C_sfsmjilda_ 
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C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C_clkA C_sidle_del C_mrqt_del C Jast_in_ C_lock_in_ C_last_out_ 

C_bold_ C_cout_0_le_del C_cin_2Je C_mrdy_del_ CJad_en_s_del C_wrdy 
C_rrdy C_parity :bool) 

(I_mrdy_in_ I_rale_in_ I_male_in_ I_lastjn_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ 

Rst ClkA ClkB ClkD Pmm_failure Pi u_in valid Reset_error :bool) 

(l_ad_in I_be_in_ CB_rqt_in_ CB_adJn CB_ms Jn CB_ss_in Id ChannellD Ccr :wordn) 

(I_cgnt_ T_mrdy_mit_ I_hold_ I_rale_out_ I_male_out_ I Jast_out_ I_srdy_out_ CB_rqt_out_ 

Disable_writes CB_parity :bool) . 

PH_A_inst rep 

(C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, 
C_mfsm_mal, C_mfsm_maO, C_mfsm_mdl, C_mfsm_mdO, C_jnfsm_iad_en_m, C_mfsm_m_cout_sel 1 , 
C_mfsm_m_cout_selO, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsrn__cm_en, C_mfsm_abort_le_en_, 
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, 

C_sfsm_sal, C_sfsm_saO, C_sfsm_sale, C_ sfsm_sdl, C_sfsm_sdO, C_sfsm_sack, C_sfsm_sabort, 
C_sfsm_s_cout_selO, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, 

C_mrqtjdelA, C Jast_inA_, C_ssA, C_holdA_, C_cout_0 Je_delA, C_cin_2_leA, 

C_mrdy_delA_, CJad_en_s_delA, C.wrdyA, C.rrdyA, C_iad_out, C_alaO, C_a3a2, C_mfsm_state, 
C_mfsm_srdy_en , C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write ( C_mfsm_crqt_, 
C_mfsm_hold_, C_mfsmjast_, C _jnfsm _lock_, C _jnfsm_ss, C_mfsmjnvalid, C_sfsm_state, C_sfsmJD, 
C_sfsm_grant, C_sfsm_rst 1 C_sfsm_ write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, 

C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, 

C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_iD_, 

C_ss, C_Jast_out_, CJttML. C_cout_0_le_del, C_cin_2Je, C_mrdy_del_, C_iad_en_s_del, C_wrdy, 

C_rrdy, C^parity, C_source, C_data_in, C_iad_in) 

(I_ad_m, IJ>e_m_, I_mrdy_in_, I_rale_in_, I _jnale_in_, I_last_in_, I_srdy_in_, I_lock_, 

I_cale_, I_hlda_, I_crqt_, CB_rqt_m_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, 

ClkD, Id, ChannellD, Pmm_failure, Piu_invalid, Ccr, Reset_error) = 

let n ew_C_mf sm_s tate A = 

((C_mfsm_rst) => CMI I 

((C_mfsm_state = CMI) => (C_mfsm_D A ~C_mfsm_crqL A ~C_mfsm_busy A ~C_mfsm_in valid) => CMR I CMI I 
((C_mfsm_state = CMR) => (C_mfsm_D A C_mfsm _grant A C_mfsm_hold J => CMA3 I CMR I 
((C_mfsm_state = CM A3) => ((C_mfsm_D) => CMA1 I CMA3) I 
((C_mfsm_state = CMA1 ) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CM AO I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMA1 I 
((C_mfsm_state = CM AO) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CMA2 1 
(C_mfsmJ3 A (Cjtnfsm.ss = A S ABORT)) => CMABT I CMAO I 
((C_mfsm_state = CMA2) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CMD1 I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMA2 1 
((C_mfsm_state = CMD1) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CM DO I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMD1 1 
((C_mfsm_state = CM DO) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY) A C_mfsm_last_) => CMD1 I 
(C_mfsm_D A (C_mfsm_ss = A SRDY) A ~C _jnfsm_last_) => CMW I 
(C_mfsm_D A (C_mfsm_ss = A SABORT)) => CMABT I CMDO I 
((C_mfsm_state = CMW) => 

(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I 
(C_mfsm_D A (C_mfsm_ss = A SACK) A C_mf sm_l ock_) => CMI I 

(C_mfsm_D A (C_mfsm_ss = A SRDY) A ~C_mfsm_lock_ A -C_mfsm_crqt_) => CM A3 I CMW I 
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((-C.mfsmJastJ => CMI I CMABT))))))))))) in 


let new_C_mfsm_mabort = ( new_C_mfsm_state A = CMABT) in 
let new_C_mfsm_midle = (new_C_mfsm_stateA = CMI) in 
let new_C_mf sm_mreq uest = (aew_C_mfsm_stateA = CMR) in 
let new_C_mfsm_ma3 = (new_C_mfsm_stateA = CMA3) in 
let new_C_mfsm_ma2 = (new_C_mfsm_stateA = CMA2) in 
let new_C_mfsm_ma 1 = (new_C_mfsm_stateA = CMA1) in 
let new_C_mf sm_maO = (new_C_mfsm_stateA = CMAO) in 
let new_C_mf sm_md 1 = (new_C_mfsm_stateA = CMD1) in 
let ne w_C_mf sm_mdO = (new_C_mfsm_stateA = CMDO) in 

let new_C_mfsm_iad_en_m = (((new_C _^nfsm_stateA = CMD1) A -C_mfsnuwrite A C_mfsm_srdy_en) 

V ((new_C_mfsm_stateA = CMDO) A -C_mfsm„write A C_mfsm_srdy_en) 

V ( ( new_C_mf sm_state A = CMW) A (C_mfsm_state = CMDO) A ~C_mfsm_write 

A C_mfsm_srdy_en)) in 

let new_C_mfsm_m_cout_sel 1 = (( ne w_C_mf sm_state A = CMA3) V (new_C_jnfsm_stateA = CMA2)) in 
let new_C_mfsm_m_cout_selO = ((new_C _mf8m_stateA - CMA3) V (new_C_jnfsm_stateA = CMA1) 

V ( new_C_mfsm_state A = CMD1)) in 

let ms2 = (ALTER ARBN (2) ((new_C_mfsm_stateA = CMA3) V (Dew_C_mfsm_stateA = CMA1) V 

(new_C_mfsm_stateA = CMAO) V (new_C_mfsm_stateA = CMA2) V 
(new_C _ J mfsm_statcA = CMD1) V (new_C_mfsm_stateA = CMDO) V 
(new_Cjmfsm_stateA = CMW) V (new_C_mfsm.stateA = CMABT))) in 
let msl - (ALTER ms2 (l)((new_C _jnfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMAO) V 
(new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V 
((new_C_mfsm_stateA = CMDO) A C_mfsmJastJ V (new_C_mfsm_stateA = CMW) V 
(new_C_mfsm_stateA = CMABT))) in 

let msO = (ALTER msl (0) (((new_C_mfsm_stateA = CMDO) A ~C_mfsm_last_) V 

( (ne w_C_mfsm_stateA = CMW) A C_mfsm_lockJ V (new_C_mfsm_stateA = CMABT))) in 
let new_C_mfsm_ms = msO in 

let new_C_mfwn_rqt_ = ~ ( ~ ( ne w_C_mf sm_s tate A = CMI)) in 
let new_C_mfsm_cgnt_ = ~(new_C_mfsm__stateA = CMA3) in 

let new_C jnfsm_.cm_en = ((-(new_C_mfsm_stateA = CMI)) A ( ~ ( oe w_C_mfsm_state A = CMR))) in 
let new_C_mfsm_abort_le_en_ = -'((new_C_mfsm_stateA = CMABT) V (new_C_mfsm_stateA = CMI)) in 
let new_C_mf sm_mpari ty = ((new_C_mfsm_stateA = CM A3) V (new_C_mfsm_stateA = CMA1) 

V ( ne w_C_mfsm_state A = CMAO) V (new_C_mfsm_stateA = CMA2) 

V ( ne w_C_mfsm_state A = CMD1) V (new_C_infsm_.stateA = CMDO) 

V ( C_mfsm_state = CMA1) V (C_mf sm_s tate = CMAO) 

V (C_mfsm_state = CMA2) V (C_mfsm_state = CMD1 )) in 


let new_C_sfsm_stateA = 

((C_sfsm_rst) => CSI I 

(C_sfsm_sUte = CSI) => ((C_sfsmJ) A (C_sfsm_ms = A M START) 

A ~C_sfsm_grant A C_sfsm_addressed) => CSA1 I CSI) I 

(C_sfsm_state = CSL) => 

((C_sfsm_D A (C_sfsm_ms = A M START) A ~C_sfsm _grant A C_sfsm_addressed) => CSA1 I 
(C_sfsm_D A (C_sfsm_ms = A M START) A ~C_sfcm _grant A ~C_s f sm_addressed ) => CSI I 
(C_sfsm__D A (C_sfsm_ms = A MABORT)) => CSABT I CSL) I 
(C_sfsm_state = CSA1) => 

((C.sfsm _D A (C_sfsm_ms = A MRDY)) => CSAO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSA1 ) I 
(C_sfsm_sUte = CSAO) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsm_hlda J => CSALE I 
(C_sfsm_D A (C_sfsm_ms = A MRDY) A C_sfsm_hlda_) => CSAOW I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAO) I 


a 
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(C_sfsm_state = CSAOW) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsmJilda_) => CS ALE I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAOW) I 
(C_sfsm_state = CSALE) => 

((C_sfsm_D A C_sfsm_wnte A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A ~C_sfsm_wnte A (C_sfsm_ms - A MRDY)) => CSRR I 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSALE) I 
(C_sfsm_state = CSRR) => 

((C_sfsm_D A ~(C_sfsm_ms = A MABORT)) => CSD1 i 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSRR) I 
(C_sfsm_state = CSD1) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSDO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSD1) I 
(C_sfsm_state = CSDO) => 

((C_sfsm_D A (C_sfsm_ms = A MEND)) => CSACK I 
(C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSDO) I 
(C_sfsm_state = CSACK) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSL I 

(C_sfsm_D A (C_sfsm_ms = A MWATT)) => CSI I 

(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CS ABT I CSACK) I 

(C_sfsm_D) => CSI I CSABT) in 


let ss2 = (ALTER ARBN (2) ((~(new_C^sfsm_stateA = CSI)) A (~(new_C_sfsm_stateA = CSABT)))) in 
let ssl = (ALTER ss2 (1) ((~(newj:_sfsm_stateA = CSI)) A (~(new_C_sfsm_stateA = CSACK)) 

A ( ~( n ew_C_sfsm_state A = CSABT)))) in 
let ssO = (ALTER ssl (0) ((new_C_sfsm_stateA = CSAOW) V 

((new_C_sfsm_stateA = CSALE) A ~C_sfsm_write) V 
( new_C_sfsm_state A = CSACK))) in 
let new_C_sfsm_ss = ssO in 

let new_C_sfsm_iad_en_s = ( ( ( n e w_C_s fsm_state A = CSALE) A (~(C_sfsm_state = CSALE))) 

V ((new_C_sfsm_stateA = CSALE) A C_sfsm_write) 

V ((new_C_sfsm_stateA = CSD1) A C_sfsm_write A (~(C_sfsm_state = CSRR))) 

V ((new_C_sfsm_stateA = CSDO) A C_sfsm_write) 

V ((new_C_sfsm_stateA = CSACK) A C_sfsm_write)) in 
let new_C_sfsm_sidle = ( new_C_sf sm_s tate A = CSI) in 

let new_C_sfsm_slock = (new_C_sfsm_stateA = CSL) in 
let new_C_sfsm_sa 1 = (new_C_sfsm_stateA = CSA1) in 
let new_C_sfsm_saO = ( new_C_s f sm_state A = CS AO) in 
let new_C_sfsm_sale = ( n e w_C_s f sm_state A = CSALE) in 
let new_C_sfsm_sdl = (new_C_sfsm_stateA = CSD1) in 
let new_C_sfsm_sdO = (new_C_sfsm_stateA = CSDO) in 
let new_C_sfsm_sack = (new_C_sfsm_stateA = CSACK) in 
let new_C_sfsm_sabort = (new_C_sfsm_stateA = CSABT) in 
let new_C_sfsm_s_cout_selO = (new_C_$fsm_stateA = CSD1) in 

let new_C_sfsm_sparity = ((-(new_C_sfsm_stateA = CSI)) A ( new_C_sf sm_state A = CSACK)) 

A (~(new_C_sfsm_stateA = CSABT))) in 


let new_C_efsm_stateA = 

((C_efsm_rst) => CEI I 

(C_efsm_state = CEI) => ((~C_efsm_cale_) => CEE l CEI) I 

((~C_efsm_last_ A ~C_efsm_srdy_) V ~C_efsm_male_ V ~C_efsm_rale_) => CEI I CEE) in 
let new_C_efsm_srdy_en = ((new_C_efsm_stateA = CEE) V (C_efsm_state = CEE)) in 
let cout_selO = (ALTER ARBN (0) ((new_C_sfsm_sdl V new_C_sfsm_sdO) => 

new_C_sfsm_s_cout_selO I new_C__mfsm_m_cout_selO)) in 
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let counsel 1 = (ALTER cout_selO ( 1 ) ((new_C_sfsm_sd 1 V new_C_sfsm_sdO) => F I new_C_mfsm_m_cout_sel 1 )) in 
let c_cout_sel = cout_sell in 

let c.busy = (-((SUBARRAY CB_rqt_in_ (3,1)) = (WORDN 7))) in 

let c _grant = ((((SUB ARRAY Id (1,0)) = (WORDN 0)) A -(ELEMENT CB_rqtJn_ (0))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB_rqt_in_ (0)) A (ELEMENT CB j-qt_in_ (1))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB _rqtjn_ (0)) A (ELEMENT CB j-qtjn_ (1)) 

A (ELEMENT CB_rqtJn_ (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB_rqt_in_ (0)) A (ELEMENT CB_rqtJn_ (1)) 

A (ELEMENT CB_rqtJn_ (2)) A (ELEMENT CB_rqt_in_ (3)))) in 
let c_write = ((new_C_mfsm_cm_en) => C_wr I (ELEMENT C.sizewrbe (5))) in 
let new_C_clkAA = C_clkA in 
let new_C_sidle_delA = C_sidle_del in 
let new_C_mrqt_delA = C_mrqt_del in 
let c_dfsm_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = ( ne w_C_mfsm_ma3 V new_C_mfsm_ma2 V new_C_mfsm^mal V 
new_C_mfsm_ma0 V new_C_mf sm_md 1 V ne w_C_mfsm_md0) in 
let c_dfsm_slave = ( -new_C_sfsm_sidle A -new_C_sfsm_slock) in 
let c_dfsm_cin_0Je = (ClkD A ((new_C_mfsm_mdO A c_dfsm_srdy A -cowrite) V 

(new_C_sfsm_saO) V (new_C_sfsm_sdO A cowrite))) in 
let c_dfsm_cin_l Je = (ClkD A ((new_C_mfsm_mdl A c_dfsm_srdy A -c_write) V 

(new_C_sfsm_sal ) V (new_C_sfsm_sdl A c_write))) in 
let c_dfsm_cin_3Je = (ClkD A (new_C_sfsm_sidle V new_C_sfsm_slock)) in 
let c_dfsm_.cin.4Je = (new_C_clkAA A new_C_sfsm_saO) in 
let c_dfsm_cout_OJe = ((I_caleJ V (I_srdy_in_ A -c.write) 

V (new_C_mfsm_maO A c_dfsm_srdy A c.write A ClkD) 

V ( new_C_mfsm_mdO A c.write A c_dfsm_srdy A ClkD)) in 
let c_dfsm_cout_l_le ■ (new_C_clkAA A new_C_sfsm_sdl) in 

let c_dfsm_cad_en = -((new_C_mfsm_ma3) V (new_C_mfsm_mal) V (new_C_mfsm_maO) 

V (new_C_mfsm_ma2) V (c_ write A (new_C_mfsm_mdl V new_C_mfsm_mdO)) 

V (-c_ write A (new_C_sfsm_sd 1 V new_C_sfsm_sdO))) in 

let c_dfsm_Lmaie_ = -(new_C_sfsm_sale A (-((SUB ARRAY C_sizewrbe (1,0)) = (WORDN 3))) A new_C_clkAA) in 
let c_dfsm_ilrale_ = -(new_C_sfsm_sale A ((SUB ARRAY C.sizewrbe (1,0)) = (WORDN 3)) A new_C_clkAA) in 
let c_dfsmj_mrdy_ = ~((-c_wnte A ClkD A (new_C_sfsm_sale V new_C_sfsm_sdl)) 

V (~c_ write A new_C_clkAA A new_C_sfsm_sack) 

V (c_ write A ClkD A oew_C_sfsm_sdO)) in 
let new_C_last_inA_ = IJast_in_ in 

let new_C_ssA = CB_ss_in in 

let new_C_holdA_ = ((ClkD) => C_hold_ I C_holdA_) in 
let new_C_cout_0_le_delA = C_cout_0_le_del in 
let new_C_cin_2_leA = C_cin_2 Je in 
let new_C_mrdy_delA_ = C_mrdy_del_ in 

let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del I C Jad_en_s_delA) in 
let new_C_wrdyA = C_wrdy in 
let new_C_rrdyA = C_rrdy in 

let new_C_iad_out = ((new_C_cin_2JeA) => C_data_in i C Jad.out) in 
let new_C_alaO = 

(((c_dfsm_m aster A ne w_C_co ut_0 Je_delA ) V (-c_dfsm_master A c_dfsm_cout_l_le)) => C Jad_in I C_alaO) in 
let new_C_a3a2 = ((new_C_mfsm_mrequest) => Ccr I C_a3a2) in 
let new_C_mfsm_state = C_mfsm_state in 
let new_C_mfsm_srdy_en = C_mfsm_srdy_en in 
let new_C_mfsm_D = C_mfsm_D in 
let new_C_mfsm _grant = C_mfsm_grant in 
let new_C_mfsm_rst = C _mfsm_rst in 
let new_C_mfsm_busy = C_mfsm_busy in 
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let new_C_mfsm_write = C_mfsm_write in 

let new_C_mfsm_crqt_ = C_mfsm_crqt_ in 

let new_C_mfsm_hold_ = C_mfsm_hold_ in 

let new_C_mfsm_last_ = C_mfsm_last_ in 

let new_C_mfsm_lock_ = C_mfsm_lock_ in 

let new_C_mfsm_ss = C_mfsm_ss in 

let new_C_mfsm_invalid = C_mfsm_invalid in 

let new_C_sfsm_state = C_sfsm_state in 

let new_C_sfsm_D = C_sfsm_D in 

let new__C_sfsm __grant = C sfsm ..grant in 

let new_C_sfsm_rst = C_sfsm_rst in 

let new_C_sfsm_write = C_sfsm_write in 

let new_C_sfsm_addressed = C_sfsm_ad dressed in 

let new_C_sfsm_hlda_ = C_sf sm_hld a_ in 

let new_C_sfsm_ms = C_sfsm_ms in 

let new_C_efsm_state = C_efsm_state in 

let new_C_efsm_cale_ = C_efsm_cale_ in 

let new_C_efsmJast_ = C_efsmjast_ in 

let new_C_efsm_male_ = C_efsm_male_ in 

let new_C_efsm_rale_ = C_efsm_rale_ in 

let new_C_efsm_STdy_ = C_efsm_srdy_ in 

let new_C_efsm_rst = C_efsm„rst in 

let new_C_wr = C_wr in 

let new_C_sizewrbe = C_sizewrbe in 

let new_C_clkA = C_clkA in 

let new_C_sidle_del = C_sidle_del in 

let new jC_mrqt_del = C_mrqt_del in 

let new_C_last_in_ = C_last_in_ in 

let new_C_lock_in_ = C_lockJn_ in 

let new_C_ss = C__ss in 

let new_C_last_out_ = C_last_out_ in 

let new_C_hold_ = C_hold_ in 

let new_C_cout_0_le_del s C_cout_0_le_del in 

let new_C_c in_2_le = C_cin_2_le in 

let new_C_mrdy_del_ = C_mrdy_del_ in 

let new_C_iad_en_s_del = C_iad_en_s_del in 

let new_C_wrdy = C_wrdy in 

let new_C_rrdy = C_rrdy in 

let new_C_parity = C_parity in 

let new_C_source = C„source in 

let new_C_data_in = C_data_in in 

let new_C_iad_in = C_iad_in in 

(new_C_mfsm_stateA, new_C_mfsm_mabort, new_C_mfsm_midle, new_C_mfsm_mrequest, new_C_mfsm_ma3, 
new_C_mfsin_ma2, new_C_mfsm_mal , new_C_mfsm_maO, new_C_|nfcm_mdl, new_C_mfsm_mdO, 
new_C_mf sm_i ad_en_m , 

new_C_mfsm_m_cout_sel 1 , new_C_mfsm_m_cout_selO, new_C_mfsm_ms, new_C_mfsm_rqt_, new_C_mfsm_cgnt_ > 
new_C_mf sm_cm_en , new_C_mfsm_abort_le_en_, new_C_mfsm_mparity, new_C_sfsm_state A , new_C_sfsm_ss, 
new_C_sfsm_iad_en_s , new_C_sfsm_sidle, new_C_sfsm_slock, new_C_sfsm_sal, new_C_sfsm_saO, 
new_C_sfsm_sale, new_C_sfsm_sdl, new_C_sfsin_sdO, new_C_sfsm_sack, new_C_sfsm_sabort, 
D ew_C_sfsm_s_cout_selO, new_C_sfsm_sparity, new_C_efsm_stateA, new_C_efsm_srdy_en , new_C__clkAA, 
new_C_sidle_delA, new_C_mxqt_delA, new_CJast_inA_, new_C_ssA, new_C_holdA_, 

new_C_cout_0_le_delA , new_C_cin_2_leA > new_C_mrdy_de!A_ ( new_C_iad_en_s_delA, new_C_wrdyA, new_C_rrdyA, 
new_C_iad_out t new_C_alaO, new_C_a3a2, new_C_mfsm_state, new_C_mfsm_srdy_en, new_C_mfsm_D, 
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new_C_mf sm_gran t, new_C_mfsm_rst, new_C _mfsm_busy, new_C_mfsm_write, new_C_mfsm_crqt_, 
new_C_mfsm_hold_, new_C .mfsmjast^ new_C _mfsm_lock_, new_C_mfsm_ss, new_Cjnfsm_in valid, 
new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_grant, new_C_sfsm _/st, new_C_sfsm_write, 
new_C_sfsm_ad dressed, new_C_sfsm_hlda_, new_C_sfsm_ms, new_C_efsm_state, new_C_efsm_cale_, 
new_C_efsm_last_, oew_C_efsm_male_ j new_C_efsm_rale_, Dew_C_efsm_srdy_, new_C_efsm_rst, new_C_wr, 
new_C_sizewrbe, new_C_clkA, new_C_sidle_dei, ne w_C_mrq t_del, new_C_last_in_, ne w_C_lock_in_ , 
new_C_ss, new_C_last_out_, new_C_bold_, oew_C_cout_0_le_del, ne w_C_cin_2_le , new_C_mitfy_del_, 
new_C_iad_en_s_del , new_C_widy, new_C_rrdy, new_C ^parity, new_C_source, oew_C_data_m, new_C_iad_in)” 

Output definition for Phase-A instruction. 

% 


let PH_A_out_def = new_defioition 
( 4 PH_A_out‘, 

“! (rep: A rep_ty) 

(C_mfsm_stateA C_mfsm_state :cmfsm_ty) 

(C_sfsm_stateA C_sfsm_state :csfsm_ty) 

(C_efsm_stateA C_efsm_state :cefsm_ty) 

(C_mfsm_ms C__sfsm_ss C_ssA C_iad_out C_alaO C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss 
C_source C_data_in C_iad_in :wordn) 

(C_jnfsm_mabort C_mfsm_midle C_mf sm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal 
C_mfsm_maO C_mf sm_md 1 C_mfsm_mdO C_mfsm_iad_en_m C_mfsm_m_cout_sel 1 C_mfsm_m_cout_selO 
C_mfsm_rqt_ C_mfsm_cgnt_ C_mfsm_cm_en C_mfsm_abort_le_en_ C_mfsm_mparity 
C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO 

C_sfsm_sale C_sfsm_sdl C_sfsm_sdO C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_seK) C_sfsm_sparity 
C_efsm_srdy_en 

C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_ C_holdA_ C_cout_0_le_delA 
C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdy A C_rrdyA 
C_mfsm_srdy_en C_mfsm_D C_mfsm _grant C_mfsm_rst C jnfsm_busy C_mfsm_write 
C_mfsm_crqt_ C_mfsm_bold_ C_mfsm_last_ C_mfsm_lock_ C_mfsm_in valid 
C_sfsm_D C _sfsm_grant C_sfsm_rst C_sfsm_ write C_sfsm_addressed C_sfsm_hlda_ 

C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C_clkA C_sidle_del C_mrqt_.de 1 C_last_in_ C_lock_in_ CJast_out_ 

C_bold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy 
C_rrdy C_parity :bool) 

(I_mrdy_in_ I_rale_in_ I_male_in_ I_Last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ 

Rst ClkA CfltB ClkD Pmm_failure Piu_invalid Reset_error :bool) 

(I_ad_in I_be_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannellD Ccr rwordn) 

(I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_ CB_rqt_out_ 

Disable_writes CB_parity :bool) . 

PH_A_out rep 

(C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm _jna3, C_mfsm_ma2, 

C_mfsm_maO, C_mfsm_mdl, C_mfsm_mdO, C_mfsm_iad_en _jn, C_mfsm_m_cout_sel t , 
C_mfsm_m_cout_selO, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_eo_, 
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, 

C_sfsm_sal , C_sfsm_saO, C_sfsm_sale, C_sfsm_sd 1 , C_sfsm_sdO, C_sfsm_sack, C_sfsm_sabort, 
C_sfsm_s_cout_selO, C_sfsm_s parity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, 
C_mrqt_delA, CJast_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA, 

C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA # C_iad_out, C_alaO, C_a3a2, C_mfsm_state, 
C_mfsm_srdy_en, C_mfsm_D, C_mfsm _grant, C _tnfsm_rst, C _jnfsm„busy, C_mfsm_write, C_mfsm_crqt_, • 
C_mfsm_bold_, C _mfsm_last_ > C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, 
C_sfsm — grant, C_sfsm_rst, C_sfsm_ write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, 
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C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, 
C_efsm_rst, C_wr, C.sizewrbe, C_clkA, Cjiidle.del, C_mrqt_del, C _lastjn_, C _lock_in_, 

C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2Je, C_mrdy_del_, C _iad_en_s_del, C_wrdy, 
C_rrdy, C^parity, C_source, C_data_in, CJadJn) 

(I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, Lmale_in_, IJastJn_, I_srdy_in_, IJock_, 

I_cale_» I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_msJn t CB_ss_in, Rst, ClkA, ClkB, 

ClkD, Id, CbannellD, Pmm_failure, Piujnvalid, Ccr, Reset_enor) = 


let new_C_mfsm_stateA = 

((C_mfsm_rst) => CMI 1 

((C_mfsm_state = CMI) => (C_mfsm_D A -C_mfsm_crqt_ A ~C_mfsm_busy A ~C_mfsm_mvahd) => CMR I CMI 
((C_mfsm_state = CMR) => (C_mfsm_D A C_mfsm_grant A C_mfsm_hold J => CMA3 I CMR I 
((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 I CMA3) I 


((C_mfsm_state = CMA1) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CM AO I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMA1 1 
((C_mfsm_state = CM AO) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CM A2 I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CM AO I 
((C_mfsm_state = CMA2) => 

(C_mfsm_D A (C _mfsm_ss = A SRDY)) => CMD1 I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMA2 I 
((C_mfsm_state = CMD1) => 

(C_mfsm_D A (C jnfsm_ss = A SRDY)) => CM DO I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMD1 1 
((C_mfsm_state = CM DO) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY) A C.mfsmJastJ => CMD1 1 
(C_mfsm_D A (C_mfsm_ss = A SRDY) A ~C_mfsm_lastJ => CMW I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMDO I 
((C_mfsm_state = CMW) => 

(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I 
(C_mfsm_D A (C_mfsm_ss = A S ACK) A C_mfsmJock J => CMI I 

(C_mfsm_D A (C_mfsm_ss = A SRDY) A ~C_mfsmJock_ A ~C jnfsm_crqt_) => CM A3 I CMW I 
((«C.mfsm_IastJ => CMI t CMABT))))))))))) in 


let new_C_mfsm_mabort = (new_C_mfsm_stateA = CMABT) in 
let new_C_mfsm_midle = (new_C_mfsm_stateA = CMI) in 
let new_C_mfsm_mrequest = (new_C_mfsm_stateA = CMR) in 
let new_C_mfsm_ma3 = (new_C_mfsm_stateA = CM A3) in 
let new _C_mf sm_m a2 = (new_C_mfsm_stateA = CMA2) in 
let new_C_mf sm_ma 1 = (new_C_mfsm_stateA = CMA1) in 
let new_C_mfsm_maO = (new_C_mfsm_stateA = CMAO) in 
let new_C_mfsm_mdl = (new_C_mfsm_stateA = CMD1) in 
let new_C_mfsm_mdO = (new_C_mfsm_stateA = CMDO) in 

let new_C_mfsm_iad_en_m = (((new_C_mfsm_stateA = CMD1) A ~C_mfsm_write A C_mfsm_srdy_en) 

V ((new_C_mfsm_stateA = CMDO) A -C_mfsm_write A C_mfsm_srdy_en) 

V ((new_C_mfsm_stateA = CMW) A (C_mfsm_state = CMDO) A ~C_mfsm_write A C_mfsm_- 

srdy jen)) in 

let new_C_mf sm_m_co ut_sel 1 = ((new_C_mfsm_stateA = CM A3) V (new_C_mfsm_stateA = CM A2)) in 
let new_C_mfsm_m_cout_selO = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_- 
stateA = CMD1 )) in 

let ms2 = (ALTER ARBN (2) ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V 

(new_C_mfsm_stateA = CMAO) V (new_C_mfsm_stateA = CMA2) V 
(new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMDO) V 
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(new_C_jnfsm_stateA = CMW) V ( new_C_mfsm_state A = CMABT))) in 
let ms 1 = (ALTER ms2 (1) ((new_C_mfsm_stateA = CMA1) V ( ne w_C_mf sm_state A = CM AO) V 
( ne w_C_mfsm_state A = CMA2) V (new_C_mfsm_stateA = CMD1 ) V 
((new_C_mfsm_stateA = CMDO) A C_mfsm_last_) V (new_C_mfsm_stateA = CMW) V 
( ne w_C_mf sm_state A = CMABT))) in 

let msO = (ALTER msl (0) ( (( new_C_mfsm_state A = CMDO) A ~C_mfsm_last_) V 

( (ne w_C_mf sm_state A = CMW) A C_mfsmJockJ V (new_C_mfsm_stateA = CMABT))) in 
let new_C_mfsm_ms = msO in 

let new_C_mfsm_rqt_ = -(~(new_C_mfsm_stateA = CMI)) in 
let new_C_mfsm_cgnt_ = ~(new_C_mfsm_stateA = CMA3) in 

let new_C_mf sm_cm_en = ( ( ~( new_C_mfsm_state A = CMI)) A ( ~(new_C_mfsm jstate A = CMR))) in 
let new_C_mfsm_abort_le_en_ = ~((new_C_mfsm_stateA = CMABT) V (new_C_mfsm_stateA = CMI)) in 
let new_C_mfsm_mparity = ((new_C_mf&m_stateA = CMA3) V (new_C _mfsm_stateA = CMA1) 

V ( ne w_C_mfsm_state A = CM AO) V (new_C_mfsmjstateA = CMA2) 

V (new_C_mfsm_stateA = CMD1 ) V (new_C_mfsm_stateA = CMDO) 

V (Cjnfsm_state = CMA1) V (C_mfsm_state = CMAO) 

V (Cjnfsm_state = CMA2) V (C_mfsm_state = CMD1)) in 


let new_C_sfsm_stateA = 

((C_sfsm_rst) => CSI I 

(C_sfsm_state = CSI) => ({C_sfsm_D A (C_sfsm_ms = A M START) A ~C_sfsm_grant 

A C_sfsm_ad dressed) => CSA1 I CSI) I 

(C_sfsm_state = CSL) => 

((C_sfsm_D A (C_sfsm_ms = A M START) A ~C_sfsm _grant A C_sfsm_addressed ) => CSA1 I 
(C_sfsm_D A (C_sfsm_ms = A MSTART) A ~C_sfsm _grant A ~C_sfsm_addressed) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSL) I 
(C_sfsm_state = CSA1) => 

((C_sf$mJD A (C_sfsm_ms = A MRDY)) => CSAO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSA1 ) I 
(C_sfsm_state = CSAO) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsm JildaJ => CSALE I 
(C_sfsm_D A (C_sfsm_nis = A MRDY) A C_sfsmjilda_) => CS AOW I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAO) I 
(C_sfsm_state = CSAOW) => 

((C_sf$m_D A (C_sfsm_ms = A MRDY) A -C_sfsm_hldaJ => CSALE I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAOW) I 
(C_sfsm_state = CSALE) => 

((C_sfsm_D A C_sfsm_wnte A (C_sfsm_ms = A MRDY)) => CSD1 1 
(C_sfsm_D A ~C_sfsm_write A (C_sfsm_ms = A MRDY)) => CSRR I 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSALE) I 
(C_sfsm_state = CSRR) => 

((C_sfsm_D A ~(C_sfsm_ms = A M ABORT)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT 1 CSRR) I 
(C_sfsm_state = CSD1 ) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSDO I 
(C_sfsm_D A (C_sfsm_m s = A MABORT)) => CSABT I CSD1 ) I 
(C_sfsm_state = CSDO) => 

((C_sfsm_D A (C_sfsm_ms = A MEND)) =» CSACK I 
(C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSDO) I 
(C_sfsm_state = CSACK) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSL I 
(C_sfsm_D A (C_sfsm_ms = A MWAIT)) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSACK) I 
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(C_sfsm_D) => CSI I CSABT) in 


let ss2 = (ALTER ARBN (2) ((~(new_C_sfsm_stateA = CSI)) A (~{new_C_sfsm_stateA - CSABT)))) in 
let ssl = (ALTER ss2 (1) ( ( ~ ( new_C_s f s m_state A = CSI)) A (~(new_C_sfsm_stateA = CSACK)) 

A (~(new_C_sfsm__stateA = CSABT)))) in 

let ssO = (ALTER ssl (0) ((new_C_sfsm_stateA = CSAOW) V 

((new_C_sfsm_stateA = CS ALE) A ~C_sfsm_write) V 
(new_C_sfsm_stateA = CSACK))) in 

let new_C_sfsm_ss = ssO in 

let new_C_sfsm_iad_en_s = (((new_C_sfsm_stateA = CSALE) A (-(C^sfsn^state = CSALE))) 

V ( (new_C_sfsm_stateA = CSALE) A C_sfsm_write) 

V ( (new_C_sfsm_stateA = CSD1) A C_sfsm_write A (~(C_sfsm_state = CSRR))) 

V ((new_C_sfsm_stateA = CSDO) A C_sfsm_write) 

V ((new_C_sfsm_stateA = CS ACK) A C^sfsm^write)) in 
let new_C_sfsm_sidle = (new_C_sfsm_stateA = CSI) in 

let new_C_sfsm_slock = (new_C_sfsm_stateA = CSL) in 
let new_C_sfsm_sal = (new_C_sfsm_stateA = CSA1) in 
let new_C_sfsm_saO = (new_C_sfsm_stateA = CSAO) in 
let new_C_sfsm_sale = (new_C_sfsm_stateA = CSALE) in 
let new_C_sfsm_sdl = (new_C_sfsm_stateA = CSD1) in 
let new_C_sfsm_sdO = (new_C_sfsm_stateA = CSDO) in 
let new_C_sfsm_sack = (new_C_sfsm_stateA = CSACK) in 
let new_C_sfsm_sabort = (new_C_sfsm_stateA — CSABT) in 
let new_C_sfsm_s_cout_selO = (new_C_sfsm_stateA = CSD1) in 

let new_C_sfsm_spanty = (( ~(ne w_C_sfsm_state A = CSI)) A (~(new_C_sfsm_stateA = CSACK)) 

A ( ~(new_C_sfsm_s tate A = CSABT))) in 

let new_C_efsm_stateA = 

((C_efsm_rst) => CEI I 

(C_efsm_state = CEI) => ((~C_efsm_cale_) => CEE l CEI) I 

((~C_efsm_last_ A ~C_efsm_srdy_) V ~C_efsm_male_ V ~C_efsm_rale_) => CEI l CEE) in 
let new_C_efsm_srdy_en = ((new_C_efsm_stateA = CEE) V (C_efsm_state = CEE)) in 
let cout_selO = (ALTER ARBN (0) ((new_C_sfsm_sdl V new_C_sfsm_sdO) => 

new_C_sfsm_s_cout_selO I new_C_mfsm_m_cout_selO)) in 
let cout_sellO = (ALTER cout_selO (1) ((new_C_sfsm_sdl V new_C_sfsm_sdO) => F I new_C_mfsm_m_cout_sell)) in 
let c_cout_sel = cout_sellO in 

let c_busy = (-((SUB ARRAY CB_rqt_in_ (3,1)) = (WORDN 7))) in 

let c_grant = ((((SUB ARRAY Id ( 1 ,0)) = (WORDN 0)) A -(ELEMENT CB_rqt_in_ (0))) 

V (((SUB ARRAY Id (1.0)) = (WORDN 1)) A -(ELEMENT CB_rqt_in_ (0)) A (ELEMENT CB_rqt_in_ (1))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB_rqt_in_ (0)) A (ELEMENT CB_rqt_m_ (1)) 

A (ELEMENT CB_rqt_in_ (2))) 

V (((SUB ARRAY Id ( 1 ,0)) = (WORDN 3 )) A -(ELEMENT CB_rqt_in_ (0)) A (ELEMENT CB_rqt_in_ ( 1 )) 

A (ELEMENT CB_rqt_in_ (2)) A (ELEMENT CB_rqt_in_(3)))) in 

let c_write = ((new_C_mfsm_cm_en) => C_wr I (ELEMENT C_sizewrbe (5))) in 

let new_C_clkAA = C_clkA in 

let new_C_sidle_delA = C_sidle_del in 

let new_C_mrqt_deLA = C_mrqt_del in 

let c_dfsm_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = (new_C_mfsm_ma3 V new_C_mfsm_ma2 V new_C_mfsm_mal V 
new_C_mfsm_maO V new_C_mfsm_mdl V new_C_mfsm_mdO) in 
let c_dfsm_slave = (~new_C_sfsm_sidle A ~new_C_sfsm_slock) in 
let c_dfsm_cin_0 Je = (ClkD A ((new_C„mfsm_mdO A c_dfsm_srdy A ~c_write) V 

(new_C_sfsm_saO) V (new_C_sfsm_sdO A c_write))) in 
let c_df sm_cin_ 1 _le = (ClkD A ((new _C_mfsm_mdl A c_dfsm_srdy A ~c_write) V 
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(new_C_sfsm_sal ) V ( ne w_C_sfsm_sd 1 Ac_write))) in 
let c_dfsm_cin_3_le = (ClkD A (new_C_sfsin_sidle V new_C_sfsm_slock)) in 
let c_dfsm_cin_4_le = (new_C_cikAA A new_C_sfsm_saO) in 
let c_dfsm_cout_0_le * ((I_cale_) V (I_srdy_in_ A write) 

V ( new _C_mf sm_m aO A c_dfsm_srdy A c_write A ClkD) 

V ( new_C_mf sm_mdO A c_write A c_dfsm_srdy A ClkD)) in 
let c_d f sm_co ut_ 1 _le = (new_C_clkAA A new_C_sfsm_sd 1 ) in 

let c_dfsm_cad_en = ~((oew_C_mfsm_ma3) V (new_C_mfsm_mal) V (new_C_mfsm_maO) 

V (aew_C_mfsm _ma2) V (c_ write A (new_C_mfsm _jndl V new_C_.mfsm_.mdO)) 

V (~c_write A (oew_C__sfsm_sd 1 V ne w_C_sfsm_sdO ))) in 

let c_dfsm_i_male_ = ~(new_C_sfsm_sale A (-((SUB ARRAY C_sizewrbe (1,0)) = (WORDN 3))) A new_C_clkAA) in 
let c_dfsm_i_rale_ = ~ ( ne w_C_s fsm_sale A ((SUB ARRAY C_sizewrbe (1,0)) = (WORDN 3)) A new_C_clkAA) in 
let c_dfsm_i_mrdy_ = ~((~c_write A ClkD A (new_C_sfsm_sale V new_C_sfsm_sdl)) 

V (~c_write A new_C_clkAA A new__C_sfsm_sack) 

V (c_write A ClkD A new_C_sfsm_sdO)) in 
let new_CJast_inA_ = I_last_m_ in 

let new_C_ssA = CB_ss_in in 

let new_C_holdA__ = ((ClkD) => C_hold_ I C_boldA_) in 
let new_C_cout_0_le_delA = C_cout_0_le_del in 
let new_C_cin_2JeA = C_cin_2Je in 
let new_C_mrdy_delA_ = C_mrdy_del_ in 

let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del I C Jad_en_s_delA) in 
let new_C_wrdyA = C_wrdy in 
let new_C_rrdyA = C_rrdy in 

let new_C_iad_out = ((new_C_cin_2JeA) => C_data_in I C _iad_out) in 
let new_C_alaO = 

(((c_dfsm_master A new_C_cout_0_le_delA) V (~c_dfsm_master A c_dfsm_cout_l_le)) => C_iad_in t C_al aO) in 
let new_C_a3a2 = ( ( ne w_C_mfsm_mreq u es t) => Ccr I C_a3a2) in 
let new_C_mfsm_state = C_mfsm_state in 
let new_C_mfsm_srdy_en = C_mfsm_srdy_en in 
let new_C_mfsm_D = C_mfsm_D in 
let new_C_mfsm_grant = C_mfsm __grant in 
let new_C_mfsm_rst = C_mfsm_rst in 
let new_C_mfsm_busy = C_mfsm_busy in 
let new_C_mfsm_write = C_mfsm_write in 
let new_C_mfsm_crqt_ = C_mfsm_crqt_ in 
let new_C_mfsm_hold_ = C_mfsm_hold_ in 
let new_C_mfsm_last_ = C_mfsm_last_ in 
let new_C_mfsm_lock_ = C_mfsm_lock_ in 
let new_C_mfsm_ss = C_mfsm_ss in 
let new_C_mfsm_in valid = C_mfsm_in valid in 
let new_C_sfsm_state = C_sfsm_state in 
let new_C_sfsm_D = C_sfsm_D in 
let new_C_sfsm __grant = C_sfsm_grant in 
let new__C_sfsm_rst = C_sfsm ^rst in 
let new_C_sfsm_write = C_sfsm_wnte in 
let new_C_sfsm_addressed = C_sfsm_addressed in 
let new_C_sfsm_hlda_ = C_sfsm_hlda_ in 
let new_C_sfsm_ms = C_sfsm_ms in 
let new_C_efsm_state = C_efsm_state in 
let new_C_efsm_cale_ = C_efsm_cale_ in 
let new_C_efsm_last_ = C_efsm_last_ in 
let new_C_efsm_male_ = C_efsm_male_ in 
let new_C_efsm_rale_ - C_efsm_rale_ in 
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let new_C_efsm_srdy_ = C_efsm_srdy_ in 

let new_C_efsm_rst = C_efsm_rst in 

let new_C_wr = C_wr in 

let new_C_sizewrbe = C_sizewrbe in 

let new_C_clkA = C_clkA in 

let new_C_sidle_del = C_sidle_del in 

let new_C_mrqt_del = C_mrqt_del in 

let new_C_last_in_ = C_last_in_ in 

let new_CJock_in_ = C_lock_in_ in 

let new_C_ss = C_ss in 

let new_CJast_out_ = C_last_out_ in 

let new_C_h°ld_ = C_hold_ in 

let new_C_cout_0_le_del = C_cout_0_le_del in 

let new_C_cin_2_le = C_cin_2_le in 

let new_C_mrdy_del_ = C_mrdy_del_ in 

let new_C_iad_en_s_del = C_iad_en_s_del in 

let new_C_wrdy = C_wrdy in 

let new_C_rrdy = C_rrdy in 

let new_C_parity = C_parity in 

let new_C_source = C_source in 

let new_C_data_in = C_data_in in 

let new_C_iad_in = C_iad_in in 

let I_cgnt_ = ne\v_C_mfsm_cgnt_ in 

let l_mrdy_out_ = ((~I_hlda_) => new_C_mrdy_delA_ I ARB) in 
let I_hold_ = ne w_C_ho 1 dA_ in 

let Lrale_out_ = ((~I_hlda_) => c_dfsm_i_rale_ I ARB) in 
let I_male_out_ = ((~I_hldaJ => c_dfsm_i_male_ I ARB) in 
let I_last_out_ = ((~I_hlda_) => new_CJast_out_ I ARB) in 
let I_srdy_out_ = 

((~I_cale_ V new_C_efsm_srdy_en) => -(new_C_wrdyA V new_C_rrdyA V new_C_mfsm_mabort) I ARB) in 
let I_be_out_ = ((~I_hldaJ => (SUBARRAY new_C_sizewrbe (9,6)) I ARBN) in 
let I_ad_out = 

((new_C_iad_en_s_delA V new_C_mfsm_iad_en_m V new^C_sfsm_iad_en_s) => new_C_iad_out I ARBN) in 
let CB_rqt_out_ = new_C_mfsm_rqt_ in 

let cbmslO = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1 ,0))) in 

let cbms210 = (ALTER cbmslO (2) ((ELEMENT oew_C_mfsm_ms (2)) A -Pmm.failure A -Piujnvalid)) in 

let CB_ms_out = ((~new_C_mfsm_cm_en) => cbms210 I ARBN) in 

let cbsslO = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0))) in 

let cbss210 = (ALTER cbmslO (2) ((ELEMENT new_C_sfsm_ss (2)) A -Pmm_failure A -Piu.invalid)) in 
let CB_ss_out = ((-new_C_sfsm_sidle A -new_C_sfsm_sabort) => cbss210 1 ARBN) in 
let CB_ad_out = ((c_dfsm_cad_en) => 

((c_cout_sel = (WORDN 0)) => Par_Enc rep ((SUBARRAY new_C_alaO (15,0))) I 
((c_cout_sel = (WORDN 1)) => Par_Enc rep ((SUBARRAY new_C_alaO (31,16))) I 
((c_cout_sel = (WORDN 2)) => Par_Enc rep ((SUBARRAY new_C_a3a2 (15,0))) I 
Par_Enc rep ((SUBARRAY new_C_a3a2 (31,16)))))) I 
ARBN) in 

let C_ss_out = new_C_s s in 

let Disable_writes = (c_dfsm_slave A -((ChannellD = (WORDN 0)) A (ELEMENT new_C_source (6))) 

A -((ChannellD = (WORDN 1)) A (ELEMENT new_C_source (7))) 

A -((ChannellD = (WORDN 2)) A (ELEMENT new_C_source (8))) 

A -((ChannellD = (WORDN 3)) A (ELEMENT new_C_source (9)))) in 

let CB_parity = new_C_parity in 
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(I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, IJast_out_, I_srdy_out_, I_ad_out, I_be_out_, 
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disablejwrites, CB_parity)” 

);; 


Next-state definition for Phase-B instruction. 

% 


let PH_B_inst_def = new_definition 
(‘PH_B_ii)st\ 

“1 (rep^ep.Jy) 

(C_mfsm_stateA C_mfsm_state :cmfsm_ty) 

(C_sfsm_stateA C_sfsm_state :csfsm__ty) 

(C_efsm_stateA C_efsm_state :cefsm_ty) 

(C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_alaO C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss 
C_source C_data_in C_iad_in :wordn) 

(C_mfsm_mabort C_mfsm_midle C_mfsm _mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal 
C_mfsm_maO C_mfsm_md 1 C_mfsm_mdO C_mfsm_iad_en _jn C_mfsm_m_cout_sel 1 C_mfsm_m_cout_selO 
C _mfsm_rqt_ C_mfsm_cgnt_ C__mfsm_cm_en C _jnfsm_abort_le_en_ C^mfsm_mparity 
C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO 

C_sfsm_sale C_sfsm_sdl C_sfsm_sdO C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_selO C_sfsm_sparity 
C_ef sm_srdy_en 

C_clkAA C_sidle_deLA C_mrqt_delA C_iast_mA_ C_holdA_ C_cout_0_le_delA 
C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA 
C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C ^mfsm_busy C_mfsm_write 
C_mfsm_crqt_ C_mfsm_hoki_ C_mfsm_last_ C_mfsm_lock_ C_mfsm_in valid 
C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ 

C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C_clkA C_sidle_del C_mrqt_del C JastJuL. C Jock _in_ C Jast_out_ 

C_bold_ C_cout_0_le_del C_cin_2Je C_mrdy_del_ CJad_en_s_del C_wrdy 
C_rrdy C ^parity :bool) 

(I_mrdyjn_ I_rale_in_ I_male_m_ IJastJn_ I__srdy_in_ I Jock_ I_caie_ IJblda__ I_crqt_ 

Rst ClkA ClkB ClkD Pmm_failure Pi ujn valid Reset_error :bocl) 

(]_ad_in I_be_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_ss Jn Id ChannellD Ccr :wordn) 

(l_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ IJast_out_ I_srdy_out_ CB_rqt_out_ 

Disable_writes CB jparity :bool) . 

PH_B_inst rep 

(C_mfsm_stateA, C_mfsm_mabort C_mfsm_midle, Cjorfsnojnrequest, C_mfsm_ma3, C_mfsm_ma2, 
C_mfsm_mal , C_mfsm_maO, C_mfsm_mdl, C_mfsm _mdO, C_mfsm Jad_en_m , C_mfsm_m_cout_sell , 
C_mfsm_m_cout_selO , C_mfsm_ms, C_mfsm_rqt_, C_mfsm_jcgnt_, Cjtnfsm_cm_en, C_mfsm_abortJe_en_, 
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s , C_sfsm_sidle, C_sfsm_slock, 

C_sfsm„sal , C_sfsm_saO, C_sfsm_sale, C_sfsm_sdl, C_sfsm_sdO, C_sfsm_sack, C_sfsm_sabort, 
C_sfsm_s_cout_selO, C_sfsm_sparity, C_efsm_stateA, C_ef sm_srdy _en , C_clkAA, C_sidle_delA, 
C_mrqt_delA, CJast_inA_, C_ssA, C_holdA_, C_cout_OJe_delA, C_cin_2JeA, 

C_mrdy_delA_, CJad_en_s_delA, C_wrdyA, C_rrdyA, CJad_out, C_alaO, C_a3a2, C_mfsm_state, 

C_mf sm_srdy_en , C_mfsm_D, C mfsm grant, C_mfsm_rst, C jnfsmjmsy, C_mfsm_ write, C_mfsm_crqt_, 
C_mfsm_hold_, C^mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsmjn valid, C_sfsm_state, C_sfsm_D, 
C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, 

C_efsm_state, C_efsm_c*le_, C_efsmjast_, C_efsm_male_, C_efsm_rale__, C_efsm_srdy_, 

C_efsm_rst t C_wr, C_sizewrbe, C_clkA, C_sidle_del, Cjurqt_del, CJast_in_, C_lock_in_, 

C_ss, CJast_out_, CJiofcL, C_cout_0_le_del, C_cin_2Je, C_mrdy_del_, C_iad_en_s_del, C_wrdy, 

C_rrdy, C_panty, C_source, C_data_in, CJadJn) 

(I_ad_in, I_bejn_, I.jnrdyJn_, I_rale_m_, I_male_m_, I_last_in_, I_srdy_in_, I_lock_, 

I_cale_, I_blda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, 
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ClkD, Id, ChanneLID, Pmm_failure, Piujnvalid, Ccr, Reset_error) = 


let new_C_wr = ((~I_cale_) => (ELEMENT I_ad_in (27)) I C_wr) in 
let new_C_sizewrbe = ((Rst) => ARBN I 

((C_sfsm_saO A C_clkAA) => (SUB ARRAY C_data_in (31,22)) I C.sizewrbe)) in 
let c_wnte = ((C_mfsm_cm_en) => new_C_wr I (ELEMENT new_C_sizewrbe (5))) in 
let cout_selO = (ALTER ARBN (0) ((C_sfsm_sdl V C_sfsm_sd0) => 

C_sfsm_s_cout_selO I C_mfsm_m_cout_selO)) in 

let cout_sell0 = (ALTER cout_sel0 (1) ((C_sfsm_sdl V C_sfsm_sd0) => F I C_mfsm_m_cout_sell )) in 
let c_cout_sel = cout_sel 1 0 in 

let c_busy = (-((SUB ARRAY CB_rqt_in_ (3,1)) = (WORDN 7))) in 

let c_grant = ((((SUB ARRAY Id ( 1 .0)) = (WORDN 0)) A -(ELEMENT CB_rqt_in_ (0))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CBjrqt_in_ (1))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CB_rqt_in_ (1)) 

A (ELEMENT CB_rqt_in_ (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CB_rqt_in_ (1)) 

A (ELEMENT CB_rqt_in_ (2)) 

A (ELEMENT CB_rqt_in_ (3)))) in 

let c_dfsm_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = (C_mfsm_ma3 V C_mfsm_ma2 V C_mfsm_mal V C_mfsm_ma0 V C_mfsm_mdl V C_mfsm_md0) in 
let c_dfsm_slave = (~C_sfsm_sidle A -C_sfsm_slock) in 

let c_dfsm_cin_0Je = (ClkD A ((C_mfsm_md0 A c_dfsm_srdy A -c_write) V (C_sfsm_saO) 

V (C_sfsm__sdO A cowrite))) in 

let c_dfsm cin_l Je = (ClkD A ((C_mfsm_mdl A c_dfsm_srdy A ~c_write) V (C_sfsm_sal ) 

V (C_sfsm_sdl A c_write))) in 

let c_dfsm_cin_3_le = (ClkD A (C_sfsm_sidle V C_sfsm_slock)) in 

let c_dfsm_cin_4 Je = (C_clkAA A C_sfsm_saO) in 

let c_dfsm_cout_0_le = ((I_caleJ V (I_srdy_in_ A ~c_wnte) 

V (C_mfsm_maO A c_dfsm_srdy A cowrite A ClkD) 

V (C_mfsm_mdO A c_ write A c_dfsm_srdy A ClkD)) in 
let c_df sm_co ut_ 1 Je = (C_clkAA A C_sfsm_sdl) in 

let c_dfsmlcad_en = ~((C_mfsm_ma3) V (C_mfsm_mal ) V (C_mfsm_maO) V (C_mfsm_ma2) V 

(c_ write A (C_mfsm_mdl V C_mfsm_mdO)) V (~c_write A (C_sfsm_sdl V C_sfsm_sdO))) in 
let c_dfsm_i_male_ = ~(C_sfsm_sale A (-((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C_clkAA) in 
let c_dfsm_i_rale_ = -(C_sfsm_sale A ((SUBARRAY new_C_sizewri)e (1,0)) = (WORDN 3)) A C_clkAA) in 
let c_dfsm_i_mrdy_ = ~((~c_write A ClkD A (C_sfsm_sale V C_sfsm_sdl )) V 

(-c_write A C_clkAA A C_sfsm_sack) V (c_write A ClkD A C_sfsm_sdO)) in 

let new_C_clkA = ClkD in 
let new_C_sidle_del = C_sfsm_sidle in 
let new_C_mrqt_del = C_mfsm_mrequest in 
let new_C_last_in_ = ((Rst) => F I 

( (C_mf sm_mabort V C_mfsm_mdl A ClkD) => C Jast_inA_ I CJastJnJ) in 
let new_CJockJn_ = ((Rst) => F I ((C_mfsm_mal) => IJock_ I CJock.inJ) in 
let new_C_ss = ( (C_mf sm_abort_le_en J => C_ssA I C_ss) in 
let mend = (CB_msJn = A MEND) in 
let mabort = (CB„ms_in = A MABORT) in 
let new_CJast_out_ = 

((C_sfsm_sal A -(ClkD A (mend V mabort))) => T ! 

((~C_sfsm_sal A (ClkD A (mend V mabort))) => F I 
((~C_sfsm_sal A -(ClkD A (mend V mabort))) => C Jast_out_ I ARB))) in 
let new_C_hold_ = C_sfsm_sidle in 
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let new_C_cout_0_le_del = c_dfsm_cout_0_le in 

let new_C_cin_2_le = c_dfsm_cin_0 Je in 

let new_C_mrdy_del_ = c_dfsm_i_mrdy_ in 

let d ew_C_i ad_en_s_del = C_sf sm_iad_en_s in 

let new_C_wrdy = (c_dfsm_srdy A c_write A C_mfsm _mdl A ClkD) in 

let new_C_rrdy = (c_dfsm_srdy A -c_write A C_mfsm_md0 A ClkD) in 

let c_pe = (Par_Det rep CB_ad_in) in 

let c_pe_cnt = (ClkD A ((~(C_mfsm_mparity = C_sfsm_sparity)) V ((SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in 
let new_C_parity = 

(((ClkD A c_pe A c_pe_cnt) A LcaleJ => T I 
((-(ClkD A c_pe A c_pe_cnt) A ~I_cale_) => F I 
((-(ClkD A c_pe A c_pe_cnt) A I_cale_) => C^parity I ARB))) in 
let new_C_source = ((Rst) => (WORDN 0) I 

((c_dfsm_cin_3_le) => Par_Dec rep (CB_ad_in) I C_source)) in 
let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0) I 

((c_dfsm_cin_l_le) => Par_Dec rep (CB_ad_in) I 
(SUB ARRAY C.datajn (31,16))))) in 
let data_in31 _0 = (MALTER datajn31_16 (15,0) ((Rst) => (WORDN 0) I 

((c_dfsm_cin_0_le) => Par_Dec rep (CB_ad_in) I 
(SUBARRAY C_data_in (15,0))))) in 

let new _C_d ata_in = data_in31_0 in 

let new_C_iad_in = ( ( c_d f sm_co u t_0_le ) => I_ad_in I C_iad_in) in 

let new_C_mfsm_state = C_mfsm_stateA in 

let new_C_mfsm_srdy_en = C_ef sm_srd y _en in 

let new_C_mfsm_D = ClkD in 

let new_C_mfsm _grant = c grant in 

let new_C_mfsm_rst = Rst in 

let new_C_mfsm_busy = c _busy in 

let new_C_mfsm_write = c_ write in 

let new_C_mf sm_crqt_ = I_crqt_ in 

let new_C_mfsm_bold_ = C_holdA_ in 

let new_C_mfsm_last_ = new_C_last_in, in 

let new_C_mfsm_lock_ = new_C_lock_in_ in 

let new_C_mfsm_ss = CB_ss_in in 

let new_C_mfsm_invalid = Piu_mvalid in 

let new_C_sfsm„state = C_sfsm_state in 

let new_C_sfsm_D * ClkD in 

let new_C_sfsm _grant = c _grant in 

let new_C_sfsm_rst = Rst in 

let new_C_sfsm_write = cowrite in 

let new_C_sfsm_addressed = (Id = (SUB ARRAY new_C_source (15,10))) in 

let new_C_sfsm_hlda_ = I_hlda_ in 

let new_C_sfsm_ms = CB_ms_in in 

let new_C_efsm_state = C_efsm_state in 

let new_C_efsm_cale_ = I_cale_ in 

let new_C_efsm_last_ = I_last_in_ in 

let new_C_efsm_male_ = I _male_in_ in 

let new_C_efsm_rale_ = I_rale_m_ in 

let new_C_efsm_srdy_ = I_srdy_in_ in 

let new_C_efsm_rst = Rst in 

let new_C_mfsm_stateA = C_mfsm_stateA in 

let new_C_mfsm_mabort * C _mfsm _mabort in 

let new_C_mfsm_midle = C _mfsm _jnidle in 

let new_C_mfsm_mrequest = C_mfsm_mrequest in 
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let new_C_mfsm_ma3 = C_mfsm_ma3 in 

let new_C_mfsm_ma2 = C_mfsm_ma2 in 

let new_C_mfsm_mal = C _mfsm_mal in 

let new_C_mfsm_maO = C _jnfsm_maO in 

let new_C_mfsm_md 1 = C_mfsm_md 1 in 

let new_C_mfsm_mdO = C_mfsm_mdO in 

let new_C_mf sm_iad_en_m = C_mfsm_iad_en_m in 

let new_C_mfsm_m_cout_sell = C_mfsm_m_cout_sell in 

let new_C_mfsm_m_cout_selO = C_mfsm_m_cout_selO in 

let new_C_mfsm_ms = C_mfsm_ms in 

let new_C_mfsm_rqt_ = C_mfsm_rqt_ in 

let new_C_mfsm_cgnt_ = C_mfsm_cgnt_ in 

let new_C_mfsm_cm_ec = C_mfsm_cm_en in 

let new_C_mfsm_abort_le_en_ = C_mfsm_abort_le_en_ in 

let new_C_mfsm_mparity = C_mfsm_mparity in 

let new_C_sfsm_stateA = C_sfsm_stateA in 

let new_C_sfsm_ss = C_sfsm_ss in 

let new_C_s fsm_iad_en_s = C_sfsm_iad_en_s in 

let new_C_sfsm_sidle = C_sfsm_sidle in 

let new_C_sfsm_slock = C_sfsm_slock in 

let new_C_sfsm_sal = C_sfsm_sal in 

let new_C_sfsm_saO = C_sfsm_saO in 

let new_C_sfsm_sale = C_sfsm_sale in 

let new_C_sfsm_sdl = C_sfsm_sdl in 

let new_C_sfsm_sdO = C_sfsm_sdO in 

let new_C_sfsm_sack = C_sfsm_sack in 

let new_C_s fsm_sabort = C_sfsm_sabort in 

let new_C_sfsm_s_cout_BelO = C_sfsm_s_cout_selO in 

let new_C_sfsm_spanty - C_sfsm_spanty in 

let new_C_efsm_stateA = C_efsm_stateA in 

let new_C_efsm_srdy_en = C_efsm_srdy_en in 

let new_C_clkAA = C_clkAA in 

let new_C_sidle_delA = C_sidle_delA in 

let new_C_mrqt_delA = C_mrqt_delA in 

let new_C_last_inA_ = C_last_inA_ in 

let new_C_ssA = C_ssA in 

let new_C_holdA_ = C_holdA_ in 

let new_C_cout_0_le_deLA = C_cout_0_le_delA in 

let new_C__cin_2_leA = C_cin_2_leA in 

let new_C_mrdy_delA_ = C_mrdy_delA_ in 

let new_C_iad_en_s_delA = C_iad_en_s_delA in 

let new_C_wrdyA = C_wrdyA in 

let new_C_rrdyA = C_rrdyA in 

let new_C_iad_out = C_iad_out in 

let new_C_alaO = C_alaO in 

let new_C_a3a2 = C_a3a2 in 

(new_C_mfsm_stateA, new_C_mfsm_mabort, new_C_mfsm_midle, new_C_mfsm_mrequest, ne w_C_mf sm_m a3 , 
new_C_mf sm_ma2 , new_C_mfsm_mal , new_C_mfsm_maO, new_C_mfsm_mdl , new_C_mfsm_mdO, 
new_C_mf sm_iad_en_m , 

new_C_mfsm_m_cout_sell, new_C_mfsm_m_cout_selO, new_C_mfsm_ms. new_C_mfsm_rqt_, new_C_mfsm_cgnt_, 
new_C_mfsm_cm_en, new_C_mfsm_abort_le_en_, ncw_C_jnfsm_inparity, new_C_s fsm_state A , new_C_sfsm_ss, 
new_C_sfsm_iad_en_s, oew_C_sfsm_sidle, new_C_sfsm_slock, new_C_sfsm_sal, new_C_sfsm_saD, 
new_C_sfsm_sale, new_C_sfsm_sdl, new_C_sfsm_sdO, new_C_sfsm_sack, new_C_sfsm_sabort, 
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new_C_sfsm_s_co ut_selO , ncw_C_sfsm_sparity, new_C_efsm_stateA, new_C_efsmj5rdy_en, new_C_clkAA, 
new_C_sidle_delA, new_C_mrqt_delA, ne w_C_l as t_inA_ , ncw_C_ssA, new_CJioldA_, 

new_C_cout_0_le_delA, new_C_cm_2_leA, new_C_mrdy_delA_, new_C_iad_en_s_deLA, new_C_wrdyA, new_C_rTdyA, 
new_C_iad_out, new_C_alaO, new_C_a3a2, new_C_mfsm_state, new_C_mfsm_srdy_en, new_C_mfsm_D, 
new_C_mfsm_grant, new_C_mfsm_rst, new_C_mfsm_busy, ne w_C_mf sm_write , new_C_mfsm_crqt_, 
new_C_mfsm_bold_ > new_C_mfsm_last_, new_C_mfsmJock_, new_C_mfsm_ss, new_C_mfsm_in valid, 
new.C.sfsm^state, new_C_sfsm_D, new_C_sfsm_grant, new_C_sfsm_rst, new_C_sfsm_write, 
new_C_sfsm_addressed, new_C_sfsm_hlda_, new_C_sfsm_ms, n ew_C_ef sm_state, new_C_efsm_cale_, 
new_C_efsm_last_, new_C_efsm_male_, oew_C_efsm_rale_, new_C_efsm_srdy_, new_C_efsm_rst, new_C_wr, 
new_C_8izewrbe, new_C_clkA, oew_C_sidle_del, new_C_mrqt_del, new_C_last_in_, new_C_lock_in_, 
new_C_ss, new_C_last_out_, new_C_hold_, new_C_cout_0_le_del, new_C_cin_2_le, ne w_C_mid y_del_, 
new_C_iad_en_s_del , new_C_wrdy, new_C_rrdy, new_C_parity, new_C_source, new_C_data_in, new^CJadJnf 

);; 


% 

Output definition for Pbase-B instruction. 


■% 


let PH_B_out_def = new_definition 
(‘PH_B-.out 4 , 

14 1 (rep:*rep_ty) 

(C_mfsm_stateA C_mfsm_state :cmfsm_ty) 

(C_sfsm_stateA C_sfsm_state :csfsm_ty) 

(C_efsm_stateA C_efsm_state :cefsm_ty) 

(C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_al aO C_a3a2 Cjnfsm_ss C_sfsm_ms C_sizewrbe C_ss 
C_source C_data__in C_iad_in rwordn) 

(C_mfsm_mabort C_mfsm_midle C_mf sm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal 
C_mfsm_maO C_mfsm_mdl C_mfsm_mdO C _mfsm_iad_en_m C_mfsm_m_cout_sell C_mfsm_m_cout__selO 
C_mfsm_rqt_ C_mfsm_cgnt_ C_mfsm_cm_en C_m fsm_abort_le_en_ C_mfsm_mparity 
C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO 

C_sfsm_sale C_sfsm_sdl C_sfsm_sdO C_sfsm_saek C_sfsm_sabort C_sfsm_s_cout_selO C_sfsm_spanty 
C_efsm_srdy_en 

CjdkAA C_sidle_delA C_mrqt_delA C Jast JnA_ C _boldA_ C_cout_0 Je_delA 
C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C__rrdyA 
C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst Cjnfsm_busy C_mfsm_write 
C_mfsm_crqt_ C_mfsm_hold_ C_mfsm_last_ C_mfsm_lock_ C_mfsm_invalid 
C_sfsm_D C_sfsm_grant C_s fsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ 

C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C_clkA C_sidle_del C_mrqt_del C Jast_in_ C_lock_in_ C Jast_out_ 

C_hoId_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ CJad_en_s_del C_wrdy 
C_rrdy C_parity :bool) 

(I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ l_hlda_ I_crqt_ 

Rst ClkA ClkB ClkD Pmm_faiiure Pi u_in valid Reset_error :bool) 

(Ladjn I_be_in_ CB_rqt_in_ CB_ad_in CB _ms_m CB_ss_in Id ChannellD Ccr :wordn) 

(I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_ CB_rqt_out_ 

Disable__wntes CB_parity :bool) . 

PH_B-.out rep 

(C_mfsm_stateA, C_mf sm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, 
C_mfsm_mal , C_mfsm_maO, C_mfsm_mdl, C_mfsm_mdO, C_mfsm_iad_en_m , C_mfsm_m_cout_sel 1 , 
C_mfsm_m_cout_selO, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mf sm_cm_en , C_mfsm_abort_le_en„, 
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_s fsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, 

C_sfsm_sal, C_sfsm_s*0, C_sfsm_sale, C_sfsm_sd 1 , C_sfsm_sdO, C_sfsm_sack, C_sfsm_sabort, 
C_sfsm_s_cout_selO, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, 
C_mrqt_delA, C_last_inA_, C_ss A, C_holdA_, C_cout_0_le_delA, C_cin_2_leA, 
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C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_ndyA, C_iad_out, C_alaO, C_a3a2, C_mfsm_state, 
C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_tnfsm_ write, C_mfsm_crqt_, 
C_mfsm_bold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, 
C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hkia_, C_sfsm_ms, 

C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, 

C_efsm_rst, C_wr, C_sizewibe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, 

C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_midy_deL, C_iad_en_s_del, C_wrdy, 

C_rrdy, C_parity, C„source, C_data_in, C_iad_in) 

(I_ad_m, I_bejn_, I_mrdy_in_, Lrale_in_, I_male_in_, IJastJn_, I_sidy_in_, IJock_, 

I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_msJn, CB_ss_in, Rst, CikA, ClkB, 

ClkD, Id, ChannellD, Pmm_failure, Piu_invalid, Ccr, Reset_enor) = 

let new_C_wr = ((-Lcale J => (ELEMENT I_ad Jn (27)) I C_wr) in 
let new_C_sizewrbe = ((Rst) => ARBN I 

((C_sfsm_saO A C.clkAA) => (SUBARRAY C_data_in (31,22)) I C_sizewrbe)) in 
let c_write = ( (C_mf sm_cm_en) => new_C_wr I (ELEMENT n e w_C_size wrbe (5))) in 
let coutjselO = (ALTER ARBN (0) ((C_sfsm_sdl V C_sfsm_sd0) => 

C_sfsm_s_cout_selO I C_mfsm_m_cout_selO)) in 

let cout_se!10 = (ALTER cout_selO (1) ((C_sfsm_sdl V C_sfsm_sdO) => F I C_mfsm_m_cout_sel 1 ) ) in 
let c_cout_sel = counsel 10 in 

let c_busy = (-((SUBARRAY CB_rqt_in_ (3,1)) = (WORDN 7))) iD 

let c_grant = ((((SUB ARRAY Id ( 1 ,0)) = (WORDN 0)) A -(ELEMENT CB_rqt_in_ (0))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB_rqt_m_ (0)) 

A (ELEMENT CBjqtJn. (1))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB_iqt_in_ (0)) 

A (ELEMENT CB_rqt_in_ (1)) 

A (ELEMENT CB_xqt_in_ (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB_jqt_in_ (0)) 

A (ELEMENT CB_rqt_in_ (1)) 

A (ELEMENT CB jqt_in_ (2)) 

A (ELEMENT CB_rqt_in_ (3)))) in 

let c_dfsm_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = (C_mfsm_ma3 V C_mfsm_ma2 V C_mfsm_mal V C_mfsm_maO V C_mfsm_mdl V C_mfsm_mdO) in 
let c_dfsm_slave = (-C_sfsm_sidle A ~C_sfsm_slock) in 

let c_dfsm_cin_0_le = (ClkD A ((C_mfsm_mdO A c_dfsm_srdy A ~c_write) V (C_sfsm_saO) 

V (C_sfsm_sdO A c_write))) in 

let c_dfsm_cin_l_le = (ClkD A ((C_mfsm_mdl A c_dfsm_srdy A -c_write) V (C_sfsm_sal) 

V (C_sfsm_sd 1 A c_write))) in 

let c_dfsm_cin_3_le = (ClkD A (C_sfsm_sidle V C_sfsm_slock)) in 

let c_dfsm_cin_4Je = (C_clkAA A C_sfsm_saO) in 

let c_df sm_co ut_0_le = ((I_cale J V (I_srdy_in_ A -c.write) 

V (C_mfsm_maO A c_dfsm_srdy A c_write A ClkD) 

V (C_mfsm_mdO A c_write A c_dfsm_srdy A ClkD)) in 
let c_dfsm_cout_l_le = (C_clkAA A C_sfsm_sd 1 ) in 

let c_dfsm_cad_en = -((C_mfsm_ma3 ) V (C_mfsm_mal ) V (C_mfsm_maO) V (C_mf*m_ma2) V 

(c_write A (C_mfsm_mdl V C_mfsm_mdO)) V (~c_write A (C_sfsm_sdl V C_sfsm_sdO))) in 
let c_dfsm_i_male_ = ~(C_sfsm_sale A (-((SUB ARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C_clkAA) in 
let c_dfsm_i_rale_ = ~(C_sfsm_sale A ((SUB ARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) A C_clkAA) in 
let c_dfsm_i_mrdy_ = ~((~c_write A ClkD A (C_sfsm_sale V C_sfsm_sdl)) V 

(~c_write A C_clkAA A C_sfsm_sack) V (c_write A ClkD A C_sfsm_sdO)) in 

let new_C_clkA = ClkD in 

let new_C_sidle_del = C_sfsm_sidle in 

let new_C_mrqt_del = C_mfsm_mrequest in 


169 



let new_C Jast_in_ - ((Rst) => F I 

((C _mfsm_mabort V C_mfsm __mdl A ClkD) => C_last_inA_ I C_last_in_)) in 
let new_CJock_in_ = ((Rst) => F I ((C_mfsm_mal) => I_lock_ I CJock_in_)) in 
let new_C_ss = ( (C_mf sm_abort_le_en_) => C_ssA I C_ss) in 
let mend = (CB_ms_in = A MEND) in 
let mabort = (CB_ms_in = A MABORT) in 
let new_C_last_out_ = 

((C_sfsm_sal A -(ClkD A (mend V mabort))) => T I 
((~C_sfsm_sal A (ClkD A (mend V mabort))) => F I 
((~C_sfsm_sal A -(ClkD A (mend V mabort))) => CJast_out_ ! ARB))) in 
let new_C_hold_ = C_sfsm_sidle in 
let new_C_cout_0_le_del = c_d fsm_cout_0_le in 
let new_C_cin_2_le = c_dfsm_cin_0_le in 
let new_C_mrdy_del_ = c_dfsm_i_mrdy_ in 
let new_C_iad_en_s_del = C_sfsm_iad_en_s in 
let new_C_wrdy = (c_dfsm_srdy A c_write A C_mfsm_jndl A ClkD) in 
let new_C_rrdy *= (c_dfsm_srdy A -c_write A C_mfsm_mdO A ClkD) in 
let c_pe = (ParJDet rep CB_ad_in) in 

let c_pe_cnt = (ClkD A ((-{C_mfsm_mparity = C_sfsm_s parity)) V ((SUB ARRAY CB_ss_in (1,0)) = (WORDN 0)))) in 
let new_C_parity = 

(((ClkD A c_pe A c_pe_cnt) A I_cale_) => T I 
((-(ClkD A c_pe A c_pe_cnt) A -I_cale_) => F I 
((-(ClkD A c_pe A c_pe_cnt) A I_cale_) => Charity I ARB))) in 
let new_C_source = ((Rst) => (WORDN 0) I 

((c_dfsm_cin_3_le) => Par_Dec rep (CB_ad_in) I C_source)) in 
let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0) I 

((c_dfsm_cin_l_le) => ParJDec rep (CB_ad_in) I 
(SUBARRAY C_data_in (31,16))))) in 
let datajm31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) I 

((c_dfsm_cin_0_le) => Par_Dec rep (CB_ad_in) I 
(SUB ARRAY C.data.in (15,0))))) in 

let new_C_data_in = data_in31_0 in 

let new_C_iad_in = ((c_dfsm_cout_0_le) => I_ad Jn I C_iad _in) in 

let new_C_mfsm_state = C_mfsm_stateA in 

let new_C_mfsm_srdy_en = C_efsm_srdy_en in 

let new_C_mfsm_D = ClkD in 

let new_C_mfsm _grant = c _grant in 

let new_C_mfsm_rst = Rst in 

let new_C_mfsm_busy = c_busy in 

let new_C_mfsm_write = c_write in 

let new_C_mfsm_crqt__ = I_crqt_ in 

let new_C_mfsm_hold_ = C_holdA_ in 

let new_C_mfsm_last_ = new_C_last_in__ in 

let new_C_mfsm_lock_ = new_C_lock_in_ in 

let new_C_mfsm_ss = CB_ss_in in 

let new_C_mfsm_invalid = Pi u_in valid in 

let new_C_sfsm_state = C_sfsm_state in 

let new_C_sfsm_D = ClkD in 

let new_C_sfsm _grant = c : grant in 

let new_C_s fsm_rst = Rst in 

let new_C_sfsm_write = c_write in 

let new_C_sfsm_addressed = (Id = (SUBARRAY new_C_source (15,10))) in 
let new_C_sfsm_hlda_ = I_hlda_ in 
let new_C_sfsm_ms = CB_ms_in in 
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let new_C_efsm_state = C_efsm_state in 

let new_C_efsm_cale_ = I_cale_ in 

let new_C_efsm_last_ = I_last_in_ in 

let new_C_efsm_male_ = I_male_in_ in 

let new_C_efsm_rale_ = I_rale_in_ in 

let new_C_efsm_srdy_ = I_srdy Jn_ in 

let new_C_efsm_rst = Rst in 

let new_C_mfsm_stateA = C_mfsm_stateA in 

let new_C_mfsm_jn abort = C_mfsm_mabort in 

let new_C_mfsm_midle = C_mfsm_midle in 

let new_C_mfsm_mrequest = C_mfsm_mrequest in 

let new_C_mfsm_ma3 = C_mfsm_ma3 in 

let new_C_mfsm_ma2 = C_mfsm_ma2 in 

let new _C_mf sm_m a 1 = C_mfsm_mal in 

let new_C_mfsm_maO = C_mfsm_maO in 

let new_C_mfsm_md 1 =C_mfsm_mdl in 

let new_C_mfsm_mdO = C_mfsm_mdO in 

let new_C_mfsm_iad_en_m = C_mfsm_iad_en_m in 

let new_C_mfsm_m_cout_sel 1 = C_mfsm__m_cout_sel 1 in 

let new_C_mfsm_m_cout_selO = C_mfsm_m_cout_selO in 

let new_C_mfsm_nis = C_mfsm_ms in 

let new_C_mfsm_rqt_ = C_mfsm_rqt_ in 

let new_C_mfsm_cgnt_ = C_mfsm_cgnt_ in 

let new_C_mf sm_cm_en = C_mfsm_cm_en in 

let new _C _mf sm_abort_le_en_ = C_mfsm_abortJe_en_ in 

let new_C_mf sm_mpari ty = C_mfsm_mparity in 

let new_C_sfsm_stateA = C_sfsm_stateA in 

let new_C_sfsm_ss = C_sfsm_ss in 

let new_C_sfsm_iad_en_s as C_sfsm_iad_en_s in 

let new_C_sfsm_sidle = C„sfsm_sidle in 

let new_C_sfsm_slock = C_sfsm_slock in 

let new_C_sfsm_sal = C_sfsm_sal in 

let new_C_sfsm_saO = C_sfsm_saO in 

let new_C_sfsm_sale = C_sfsm_sale in 

let new_C_sfsm_sdl = C_sfsm_sdi in 

let new_C_sfsm_sdO = C_sfsm_sdO in 

let new_C_sfsm_sack = C_sfsm_sack in 

let new_C_sfsm_sabort = C_sfsm_sabort in 

let new_C_sfsm_s_cout_selO = C_sfsm_s_cout_selO in 

let new_C_sfsm_sparity = C_sfsm_spanty in 

let new_C_efsm_stateA = C_efsm_stateA in 

let new_C_efsm_srdy_en = C_efsm_srdy_en in 

let new_C_clkAA = C_clkAA in 

let new_C_sidle_delA = C_sidle_delA in 

let new__C_mrqt_de!A = C_mrqt_delA in 

let new_C Jast_inA_ = C Jast_inA_ in 

let new_C_ssA = C_ssA in 

let new_C_holdA„ = C_holdA_ in 

let new_C_cout_0_le_delA = C_cout_0_le_delA in 

let new_C_cin_2_leA = C_cin_2_leA in 

let new_C_mrdy_delA_ = C_mrdy_deLA_ in 

let new_C_iad_en_s_delA = C_iad_en_s_delA in 

let new_C_wrdyA = C_wrdyA in 

let new_C_rrdyA = C_rrdyA in 
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let new_C_iad_out = C_iad_out in 
let new_C_alaO = C_alaO in 
let new_C_a3a2 = C_a3a2 in 

let I_cgnt_ = ne w_C_mfsm_cg n t_ in 

let I_mrdy_out_ = ((~I_hlda_) => new_C_mrdy_delA_ I ARB) in 
let I_hokl_ = new_C_boldA_ in 

let Lrale_out_ = ((~I_hlda_) => c_dfsm_i_rale_ I ARB) in 
let Lmale_out_ = ((-I_hlda_) *> c_dfsm_i_male_ I ARB) in 
let Mast_out_ = ((~I_hlda_) => new_CJast_out_ I ARB) in 
let I_srdy_out_ = 

((~I_cale_ V new_C_efsm_srdy_en) => ~(new_C_wrdyA V new_C_rrdyA V ne w_C_mf sm^m abort ) I ARB) in 
let I_be_out_ = ((~I_hlda_) => (SUB ARRAY new_C_sizewrbe (9,6)) I ARBN) in 
let I_ad_out = 

((new_C_iad_en_s_delA V Dew_C_mfsm_iad_en_m V new_C_sfsm_iad_en_s) => new_C_iad_out I ARBN) in 
let CBjrqt_out_ = new_C_mfsm_rqt_ in 

let cbmslO = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0))) in 

let cbms210 = (ALTER cbmslO (2) ((ELEMENT Dew_C_mfsm_ms (2)) A ~Pmm_failure A -Piujnvalid)) in 

let CB_ms_out = ((~new_C _mfsm_cm_eo) => cbms210 1 ARBN) in 

let cbsslO = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0))) in 

let cbss210 = (ALTER cbmslO (2) ((ELEMENT new_C_sfsm_ss (2)) A ~Pmm_failure A -Piu_in valid)) in 
let CB_ss_out = ( ( ~new_C_sf sm_sidle A ~new_C_sfsm_sabort) => cbss210 I ARBN) in 
let CB_ad_out = ((c_dfsm_cad_en ) => 

((c_cout_sel = (WORDN 0)) => Par.Enc rep ((SUBARRAY new_C_alaO (15,0))) I 
((c_cout_sel = (WORDN 1)) => Par_Enc rep ((SUBARRAY new_C_alaO (31,16))) I 
((c_cout_sel = (WORDN 2)) => Par_Enc rep ((SUB ARRAY new_C_a3a2 (15,0))) I 
Par_Enc rep ((SUB ARRAY new_C_a3a2 (31,16)))))) I 
ARBN) in 
let C_ss_out = new_C_ss in 

let Disable_writes = (c_dfsm_slave A -((ChannellD = (WORDN 0)) A (ELEMENT new_C_source (6))) 

A -((ChannellD = (WORDN 1)) A (ELEMENT new_C_source (7))) 

A -'((ChannellD = (WORDN 2)) A (ELEMENT new_C_source (8))) 

A -((ChannellD = (WORDN 3)) A (ELEMENT new_C_sounce (9)))) in 

let CB^parity = new_C_parity in 

(I_cgnt_, I_mrdy_out_, I_h°ld_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, 
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CBjrarity)” 

);; 

close_theory();; 
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C.5 SU_Cont Specification 




File: 

s_phase.ml 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the phase-level specification of the P-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk this code was translated from an M-Ianguage simulation program using a translator 
written by P.J. Windley at the University of Idaho. 


— % 


set_search_path (search_patb() @ | 4 /home/titan3/dfura/ftep/pii^ol/lib/‘]);; 
system 4 rm s_block.th‘;; 
new_tbeory 4 s_ block 4 ;; 

map new^parent [ * saux_def 4 ; 4 aux_def 4 ; 4 array _def‘ ; 4 wordn_def 4 ] ; ; 

let s_state_ty = “:(sfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool# 

bool#bool#wordn#wordD#bool#bool# 

sfsm_ty#bool#bool#bool#bool#bool# 

bool#wordn#wordii#bool#bool#bool#bool#bool#bool#bool#bool#bool) 4 *;; 

let s_state = 44 ((S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_srcO, S_fsm_srcl, 
S_fsm_spf, S_fsm_scOf, S_fsm_.sc If, S_fsm_spmf, S_fsm_sb, S_fsm_sic, S_fsm_sec, S_fsm_srs, 
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, 
S_fsm_state, S_fsm_rst, S_fsm_delay6, S _fsm_delay 1 7 , S_fsm_bothbad , S_fsm_bypass, 
S_soft_shot_del, S_soft_cnt, S.delay, S_bad_cpuO, S_bad_cpul, S_reset_cpuO, S_reset_cpul, 
S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_cpu_hist, S_piu_fail) 

: A s_state_ty)”;; 

let s_env_ty = 4 ‘:(bool#bool#bool#bool#bool#bool#bool#bool#booiy ;; 
let s_env = 44 ((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failurel J 
: A s_env_ty)”;; 

let s_out_ty = “:(wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool)**;; 

let s_out = M ((S_state, Reset_cport, Disable.int, Reset_piu, Reset_cpuO, Reset_cpul, Cpu_hist, 

Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail) 

: A s_out_ty) M ;; 


% 

Next-state definition for Phase -A instruction. 


■% 


let PH_A_inst_def = new_defimtion 
( 4 PH_A_inst 4 , 
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M ! (S JsmjtateA SJsmjtate :sfsm_ty) 

(S joft_cntA S_delayA S_soft_cnt S .delay :wordn) 

(SJsmjn SJsmjo S Jsm jrcp S Jsm jdi SJsmjrp S_fsm_srcO S_fsm_srcl S Jsm jpf S JsmjcOf 
S Jsmjclf S Jsmjpmf S Jsmjb S_fsm_src SJsmjec SJsmjrs SJsmjcs S_soft_shot Sjoftjhot.delA 
SJnstart S_cpu_histA S Jsm _rst S Jsm_delay6 S Jsm_delayl7 S_fsm_bothbad S_fsm_bypass 
S_soft_shot_del S_bad_cpuO S_bad_cpul S_reset_cpuO S_reset_cpul S_pmm_fail S .cpuOJail S_cpul_fail 
S_cpu_hist S_piu_fail :bool) 

(ClkA ClkB Rst Bypass Test Gcrh Gcrl FailureO. Failurel. :bool) 

PH A_inst (S Jsm jtateA, S_fsm_sn, SJsmjo, S Jsm jrcp, S Jsm jdi, S Jsmjrp, S Jsm jrcQ, S Jsm jrc 1 , 

S Jsm.spf, S_fsm_scOf, S Jsmjclf, S Jsmjpmf, S Jsmjb, SJsmjrc, SJsmjec, SJsmjrs, 
S_fsm_scs, S_softjhot, S_soft_shot_delA, S_soft_cntA, S.delayA, SJnstart, S_cpu_histA, 

S Jsmjtate, S Jsmjrst, S Jsm_delay6, S Jsm_delay 1 7 , S Jsm.bothbad, S_fsm_bypass, 

Sjoftjhot.dd, Sjoft.cnt, S.delay, S_bad_cpuO, S.bad.cpul, Sjeset.cpuO, S_reset_cpul, 
SjmmJail, S.cpuOJail, S.cpul Jail, S_cpu_hist, S_piu Jail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO., Failure 1J = 

let new_S Jsm jtateA = 

((SJsm.rst) => SSTART I 
((S Jsmjtate = SSTART) => SRA I 

((SJsmjtate = SRA) => ((S_fsm_delay6) => ((SJsmJypass) => SO I SPF) I SRA) I 
((S Jsmjtate = SPF) => SCOI I 

((S Jsmjtate = SCOI) => ((S_fsmdelayl7) => SCOF I SCOI) I 
((SJsmjtate = SCOF) => ST I 
((S Jsmjtate = ST) => SCI 1 1 

((S Jsmjtate = SC1I) => ((SJsm_delayl7) => SC1F I SC1I) ! 

((S Jsmjtate = SC IF) => SS I 

((S JFsm_state = SS) => ((S Jsm_bothbad) => SSTOP I SCS) I 
((S Jsmjtate = SSTOP) => SSTOP I 
((S Jsmjstate = SCS) => ((S Jsm_delay6) => SN l SCS) I 
((S_fsm_state = SN) => ((S_fsm_delayl7) => SO I SN) I 
((S Jsmjtate = SO) => SO I S JLL)))))))))))))) in 
let new J> Jsm.sn = (newj JsmjtateA = SN) in 
let new_S_fsin_90 * ( new_S Jsm jtateA = SO) in 

let new.S.fsmjrcp = (((~(new_S Jsm jtateA = SO)) A (~(S Jsm jtate = SSTOP))) V (SJsmjtate = SRA)) in 
let new_SJsmjdi = (((~(new_S Jsm jtateA = SO)) A (~(S Jsmjtate = SSTOP))) V (S Jsmjstate = SRA)) in 
let newj Jsm.srp = ((oew_S JsmjtateA = SSTART) V (new_S JsmjtateA = SRA) 

V (new_S Jsm jtateA = SCOF) V (Dew_S JsmjtateA = ST) 

V (cew_S JsmjtateA = SC IF) V (new_S Jsm_stateA = SS) 

V (new JS Jsm jtateA = SCS)) in 

let new_S_fsm_srcO = ((~(new_S JsmjtateA = SPF)) A (~(new_S Jsm jtateA = SCOI))) in 

let new _S Jsm jrcl = ((-(new.S Jsm jtateA = ST)) A (~(new_S_fsm JtateA = SC II))) in 

let newJJ Jsmjpf = ((S Jsm jtate = SRA) A SJsmjielay6 A -SJsmjst) in 

let new_S_fsm_scOf = (new_S JsmjtateA = SCOF) in 

let new_S_fsm_sclf = (new_S JsmjtateA = SC IF) in 

let new_S Jsm.spmf = (new_S JsmjtateA = SO) in 

let new.S Jsmjb = (new J> JsmjtateA = SSTART) in 

let new_SJsmjrc = ((new_S JsmjtateA = SSTART) V ((SJsmjtate = SRA) A S Jsm_delay6) 

V (new_S JsmjtateA = SCOF) V ( new_S Jsm jtateA = ST) 

V (new_S JsmjtateA = SC1F) V (newj> JsmjtateA = SS) 

V ((S Jsmjtate = SCS) A S Jsm_delay6)) in 

let new.S Jsm.sec = (((~<new_S JsmjtateA = SSTOP)) A (~(new_S JsmjtateA = SO))) V (S Jsmjtate = SN)) in 
let new J_fsm_srs = (((S Jsm jtate = SPF) A -SJsmjst) V ((SJsmjtate = ST) A ~S Jsm.rst)) in 
let new_S_fsm_scs = (new _S Jsm jtateA = SCS) in 
let new_S_softjhot = (-Gcrh A Gcrl) in 
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let new_S_soft_shot_delA = S_soft_sbot_del in 

let new_S_soft_cntA = ((new_S_fsm_srs) => (WORDN 0) I S_soft_cnt) in 
let s delay out = ((S _fsm_sec) => (INCN 17 S_delayA) I S_delayA) in 

let new_S_delayA = ((new_S_fem_src V (new_S_fsm_scs A (ELEMENT s_delay_out (6)))) => (WORDN 0) I S.delay) in 

let s delay.out = ((new_S_fsm_sec) => (INCN 17 new_S_delayA) I new_S_delayA) in 

let new_S Jnstart = ((Test) => (ELEMENT s_delay_out (5)) I (ELEMENT s_delay_out (16))) in 

let s_soft_cnt_out = ((new_S_soft_shot A -new_S_soft_shot_delA) => 

(INCN 2 new_S_soft_cntA) I new_S_soft_cntA) in 
let s_cpu0_ok = (new_S_fsm_scOf A Failure0_ A (s_soft_cnt_out = (WORDN 5))) in 
let s cpul_ok - (new_S_fsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpuO_select = ((new_S_fsm_sn V new_S_fsm_so) A -S_cpuO_fail) in 
let s_cpul_select = ((new_S_fsm_sn V new_S_fsm_so) A S_cpuO_fail A ~S_cpul_fail) in 
let new_S_cpu_his tA = (Sjreset_cpuO A S_reset_cpul A Bypass) in 


let new_S_fsm_state = S_fsm_state in 

let new_S_fsm_rst = S_fsm_rst in 

let new _S _fsm_d el ay 6 = S_fsm_delay6 in 

let new_S_fsm_delay 1 7 = S_fsm_delayl7 in 

let new_S_fsm_bothbad = S_fsm_bothbad in 

let new_S_fsm_bypass = S_fsm_bypass in 

let new_S_soft_shot_del = S_soft__shot_del in 

let new_S jsoft_cnt = S_soft_.cn t in 

let new_S_delay = S_delay in 

let new_S_bad_cpuO = S_bad_cpuO in 

let new_S_bad_cpul = S_bad_cpul in 

let new_S_reset_cpuO = S_reset_cpuO in 

let new_S_reset_cpul = S_reset_cpul in 

let oew_S_pmm_fail = S_pmm_fail in 

let new_S_cpuO_fail = S_cpuO_fail in 

let new_S_cpu 1 _fail = S_cpul_fail in 

let new_S_cpu_hist = S_cpu_hist in 

let new_S_piu__fail = S_piu_fail in 


(new_S_fsm_stateA, new_S_fsm_sn. new_S_fsm_so, new_S_fsm_srcp, new_S_fsm_sdi, new_S_fsm_srp, 
new_S_fsm_srcO, new_S_fsm_srcl, new_S_fsm_spf, new_S_fsm_scOf, new_S_fsm_sclf, new_S_fsm_spmf, 
new_S_fsm_sb, new_S_fsm_src, new_S_fsm_sec, new_S_fsm_srs, new_S_fsm_scs, new_S_soft_shot, 
new S_soft_shot_delA, new_S_soft_cntA, new_S_delayA, new_S_instait, new_S_cpu_h«tA, new_S_fsm_state, 
new _ S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delayl7, new_S_fsm_bothbad. new_S_fsm_bypass, 
oewls_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpuO. new_S_bad_cpul, new_S_reset_cpuO. 
new_S_reset_cpul, new_S _pmm_fail, new_S_cpuO_fail, new_S_cpul_fail. new_S_cpu_hist, new_S_piu_fail)” 

);; 


% 

Output definition for Phase- A instruction. 


•% 


let PH_A_out_def = new_definition 
(‘PH_A_ouC, 

“I (S_fsm_stateA S_fsm_state :sfsm_ty) 

(S_soft_cntA S_delayA S_soft_cnt S.delay :wordn) 

(S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_srcO S_fsm_srcl S_fsm_spf S _fsm_scOf 
S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA 
S_instart S_cpu_histA S_f sm_rst S_fsm_delay6 S_fsm_delay 1 7 S_fsm_bothbad S_f sm.bypass 
S_soft_shot_del S_bad_cpuO S_bad_cpul S_reset_cpuO S_reset_cpul S_pmm_fail S_cpuO_fail S_cpul_fail 
S_cpu_hist S_piu_fail :bool) 
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(ClkA ClkB Rst Bypass Test Gcrb Gcrl FailureO_ Failure 1_ :bool) . 

PH_A_out (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_f sm_srp, S_fsm_srcO, S_fsm_srcl, 
S_fsm_spf, SJ*sm_scOf, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, 

S_fsm_scs, S_soft_shot, S_soft_sbot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_bistA, 

S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsm_bothbad, S_fsm_bypass, 

S_soft_sbot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S _reset_cpuO, S_reset_cpul, 

S _pmm_fail, S_cpuO_fail, S_cpul_fail, S_cpu_hist, S_piu_fail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failurel_) = 

let new_S_fsm_stateA = 

((S_fsm_rst) => SSTART I 
((S_fsm_state = SSTART) => SRA I 

((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO I SPF) I SRA) I 
((S_fsm_state = SPF) => SCOI I 

((S_fsm_state = SCOI) => ((S_fsm_delayl7) => SCOF I SCOI) I 
((S_fsm_state = SCOF) => ST I 
((S_fsm_state = ST) => SC1I I 

((S_fsm_state = SC1I) => ((S _fsindelayl7) => SC1F I SC1I) I 
((S_fsm_state = SC IF) => SS I 

((S_fsm_state = SS) => «S Jsm_bothbad) => SSTOP I SCS) I 
((S Jsm.state = SSTOP) => SSTOP I 
((S Jsm.state = SCS) => ((S Jsm_delay6) => SN I SCS) I 
((S _fsm_state = SN) => ((S _Jsm_delayl7) => SO I SN) I 
((S Jsm.state = SO) => SO I S JLL)))))))))))))) in 
let new_S_fsm_sn = ( ne w_S_f sm_stateA = SN) in 
let new_S_fsm_so = (new_S_fsm_stateA = SO) in 

let new_S_fsm_$rcp = (((~(new_S_fsm_stateA = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let new_S_fsm_sdi = (( ( ~( new_S_fsm_state A * SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let new_S_fsm_srp = ((oew_S_fsm_stateA = SSTART) V (new_S_fsm_stateA = SRA) 

V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) 

V (new_S_f&m_stateA = SC1F) V (new_S_fsm_stateA = SS) 

V (new_S_fsm_stateA = SCS)) in 

let new_S_fsm_srcO = ((-(new_S_fsin_stateA * SPF)) A ( ~(new_S_fsm_stateA = SCOI))) in 

let new_S_fsm_srcl = ((-(new_S_fsm_stateA = ST)) A (~(new_S_fsm_stateA = SC1I))) in 

let new_S_fsm_spf = ((S_fsm_state = SRA) A S_fsm_delay6 A ~S_fsm_rst) in 

let new_S_fsm_scOf = ( new_S_f&m_stateA = SCOF) in 

let new_S_fsm_sclf = ( ne w_S_fsm_stateA = SC1F) in 

let new_S_fsm_spmf = (new_S_fsm_stateA = SO) in 

let new_S_fsm_sb = (new_S_fsm_stateA = SSTART) in 

let new_S_fsm_src = ((new_S_fsm_stateA = SSTART) V ((S_fsm_state = SRA) A S_fsm_delay6) 

V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) 

V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) 

V ((S_fsm_state = SCS) A S_fsm_delay6)) in 

let new_S_fsm_sec = (((~(new_S_fsm_stateA = SSTOP)) A (~(new_S_fsm_stateA = SO))) V (S_fsm_state = SN)) in 

let new_S_fsm_srs = (((S_fsm_state = SPF) A -S_fsm_rst) V ((S_fsm_state = ST) A -S_fsm_rst)) in 

let new_S_fsm_scs = (new_S_fsm_stateA = SCS) in 

let new_S_soft_shot = (-Gcrb A Gcrl) in 

let new_S_soft_sbot_deLA = S_soft_sbot_del in 

let new_S_soft_cntA = ((new_S_fsm_srs) => (WORDN 0) I S_soft_cnt) in 
let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) I S_delayA) in 

let oew_S_delayA = ((new_S_fsm_src V (new_S_fsm_scs A (ELEMENT s_delay_out (6)))) => (WORDN 0) I S_delay) in 

let s_delay_out = ((new_S_fsm_sec) => (INCN 17 new_S_delayA) I new_S_delayA) in 

let new_S_instart = ((Test) => (ELEMENT s__delay_out (5)) I (ELEMENT s_delay_out (16))) in 

let s_soft_cnt_out = (( new_S_soft_shot A ~new_S_soft_shot_delA) => 
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(INCN 2 new_S_soft_cntA) I new_S_soft_.cn tA) in 
let s_cpuO_ok = (new_S_fsm_scOf A FailureO_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpul_ok = (new_S_fsm_scl f A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpuO_select = ((new_S_fsm_sn V new_S_fsm_so) A ~S_cpuO_fail) in 
let s_cpul_select = ((new_S_fsm_sn V new_S_fsm_so) A S_cpuO_fail A ~S_cpul_fail) in 
let new_S_cpu_histA = (S_reset_cpuO A S_reset_cpul A Bypass) in 
let new_S_fsm_state = S_fsm_state in 
let new_S_fsm_rst — S_fsm_rst in 
let new_S_fsm_delay6 = S_fsm_delay6 in 
let new_S_fsm_delay 1 7 = S_f&m_delayl7 in 
let new_S_fsm_bothbad = S_f sm_bo th b ad in 
let new_S_fsm_bypass = S_fsm_bypass in 
let new_S_soft_shot_del = S_soft_shot_del in 
let new_S_soft_cnt = S_soft_cnt in 
let new_S_delay = S_delay in 
let new_S_bad_cpuO = S_bad_cpuO in 
let new_S_bad_cpu 1 = S_bad_cpul in 
let new_S_reset_cpuO = S_reset_cpuO in 
let new_S_reset_cpu 1 = S_reset_cpul in 
let new_S_pmm_fail = S_pmrn_fail in 
let new_S_cpuO_fail = S_cpuO_fail in 
let new_S_cpul_fail = S_cpul_fail in 
let new_S_cpu_hist = S_cpu_hist in 
let new_S_piu_fail = S_piu_fail in 

let ssO = (ALTER ARBN (0) ((new_S_fsm_stateA « SS) V (new_S_fsmjstateA = SSTOP) 

V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA - SN) 

V (new_S_fsm_stateA = SO))) in 

let ssl = (ALTER ssO (1) ((new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) 

V (new_S_fsm_stateA - SC1I) V (new_S_fsm_stateA = SC1F) 

V (new_S_fsm_stateA = SS) V ( new_S_fsm_stateA = SSTOP) 

V (new_S_fsm_stateA = SCS))) in 

let ss2 = (ALTER ssl (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SCOI) 

V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) 

V (new_S_fsm_s tate A = SSTOP) V (new_S_fsm_stateA - SO))) in 
let ss3 = (ALTER ssl (3) ((new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SPF) 

V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I) 

V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN) 

V (new_S_fsm_stateA = SO))) in 

let S_state = ss3 in 

let Reset_cport = new_S_fsm_srcp in 

let Disable_int = (~new_S Jnstart A ~(new_S_fsm_sn A (ELEMENT s_delay_out (6))) A new_S_fsm_sdi) in 

let Reset__piu = new_S_fsm_srp in 

let Reset_cpuO = new_S_reset_cpuO in 

let Reset_cpul = new_S_reset_cpul in 

let Cpu_hist = new_S_cpu_hist in 

let Piu_fail = new_S_piu_fail in 

let CpuO_fail = new_S_cpuO_fail in 

let Cpul_fail = new_S_cpul_fail in 

let Pmm_fail = new_S_pmm_fail in 

(S_state, Reset_cport, Disable Jut, Reset_piu. Reset_cpuO, Reset_cpul , Cpujiist, Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail)” 

);; 


% 
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Next-state definition for Pbase-B instruction. 


■% 


let PH_B_inst_def = new_definition 
( 4 PH_B_inst\ 

44 ! (S_fsm_stateA S_fsm_state :sfsm_ty) 

(S_soft_cntA S^delayA S_soft_cnt S_delay :wcrrdn) 

(S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_srcO S_fsm_srcl S_fsm_spf S_fsm_scOf 
S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA 
S_instart S_cpu_histA S_fsm _rst S_fsm_delay6 S_fsm_delayl7 S_fsm_bothbad S_fsm_bypass 
S_soft_shot_del S_bad_cpuO S_bad_cpul S_reset_cpuO S_reset_cpul S_pmm_fail S_cpuO_fail S_cpul_fail 
S_cpu Jiist S_piu_fail :bool) 

(ClkA ClkB Rst Bypass Test Gcrh Gcrl FailureO_ Failurel_ :bool) . 

PH_B_inst (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_srcO, S_fsm_srcl, 
S_fsm_spf, S_fsm_scOf, S_fsm_sclf ( S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, 
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_in start, S^cpuJhistA, 
S_fsm_state, S_fsm_rst, S_fsm_delay6, S Jsm_delayl7, S_fsmjwthbad, S_fsmJ>ypass, 
S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S_reset_cpuO, S_reset_cpul, 
S_pmm_fail > S_cpuO_fail, S_cpul_fail, S_cpu_hist, S_piu_fail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failurel J = 

let s_soft_cnt_out = ((S_soft_shot A -S jsoft_shot_delA) => (INCN 2 S_soft_cntA) I S_soft_cntA) in 

let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) I S_delayA) in 

let s_cpuO_ok = (S_fsm_scOf A FailureO_ A (s_soft_cnt_out = (WORDN 5))) in 

let s_cpul_ok = (S_fsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 

let new_S_soft_shot_del = S_soft_shot in 

let new_S_soft_cnt = ((-Gcrh A -Gcrl) => (WORDN 0) I s_soft_cnt_out) in 
let new_S_delay = s_delay_out in 
let new_S _pmm_fail = 

((S_fsm_sb A -S_fsm_spmf) => T I 
((~S_fsm_sb A S_fsm_spmf) => F I 
((~S_fsm_sb A -S_fsm_spmf) *> S_pmm_fail I ARB))) in 
let new_S_cpuO_fail = 

((S_fsm_sb A ~(s_cpuO_ok V Bypass)) => T I 
((~S_fsm_sb A (s_cpuO_ok V Bypass)) => F I 
((-S_fsm_sb A ~(s_cpuO_ok V Bypass)) => S_cpuO_fail I ARB))) in 
let new_S_cpul_fail «= 

((SJsm_sb A -(s_cpul_ok V Bypass)) => T I 
((~S_fsm_sb A (s_cpul_ok V Bypass)) => F I 
((~S_fsm_sb A ~(s_cpul_ok V Bypass)) => S_cpul_fail I ARB))) in 
let new_S_piu_fail = 

((S_fsm_sb A ~(S_fsm_spfV Bypass)) => T I 
((-S_fsm_sb A (S_fsm_spfV Bypass)) => F I 
((-S_fsm_sb A ~(S_fsm_spf V Bypass)) => S_piu_fail I ARB))) in 
let s_cpuO_select = ((S_fsm_sn V S_fsm_so) A -new_S_cpuO_fail) in 
let s_cpul_select = ((S_fsm_sn V S_fsm_so) A new_S_cpuO_fail A ~new_S_cpul_fail) in 
let oew_S_bad_cptiO = 

((S_fsm_sb A -s_cpuO_select) => T I 
((-S_fsm_sb A s_cpuO_select) => F l 
((~S_fsm_sb A -s_cpuO_select) => S_bad_cpuO I ARB))) in 
let new_S_bad_cpul = 

((S_fsm_sb A -s_cpul_select) => T I 
((~S_fsm_sb A s_cpul_select) => F I 
((-S_fsm_sb A -s_cpul_select) => S_bad_cpul I ARB))) in 
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let new_S_reset_cpuO = (new_S_bad_cpuO A S_fsm_srcO) in 
let new_S_reset_cpul = (new.S.bad.cpul A S_fsm_srcl) in 
let new_S_cpu_hist = S_cpu_histA in 
let new.S.fsm.state = S_fsm_stateA in 
let new.S.fsm.rst = Rst in 

let new_S_fsm_deIay6 = (ELEMENT s.delay.out (6)) in 

let new_S_fsm_delay 1 7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in 

let new_S_fsm_bothbad = (new_S_cpuO_fail A new_S_cpul_fail) in 

let new.S.fsm.bypass = Bypass in 

let new.S.fsm.stateA = S.fsm.state A in 

let new.S.fsm.sn = S.fsm.sn in 

let new.S_fsm.so = S.fsm.so in 

let new _S _f sm.srcp = S_fsm_srcp in 

let new.S.fsm.sdi = S_fsm_sdi in 

let new.S.fsm.srp = S_fsm_srp in 

let new_S_fsm_srcO = S_fsm_srcO in 

let new.S_fsm.srcl = S_fsm_srcl in 

let new_S_fsm_spf = S_fsm_spf in 

let new_S .fsm.scOf = S_fsm_scOf in 

let new_S_fsm_sclf = S_fsm.sc If in 

let new_S_fsm_spmf = S_fsm_spmf in 

let new.S.fsm.sb = S.fsm.sb in 

let new.S_fsm.src = S.fsm.src in 

let new.S.fsm.sec = S_fsm_sec in 

let new.S_fsm.srs = S_fsm_srs in 

let new.S_fsm.scs = S.fsm.scs in 

let new_S_soft_shot = S.soft.shot in 

let new_S.soft_shot.delA = S.soft.shot.delA in 

let new_S_soft_cntA = S.s oft.cn tA in 

let new_S_delayA = S_delayA in 

let new.S.instart = S.instart in 

let new.S.cpu.histA = S_cpu_histA in 

(new.S.fsm.stateA, new.S.fsm.sn, new.S.fsm.so, new.S.f sm.srcp, new.S_fsm.sdi, new.S.fsm.srp, 
new.S.fsm.srcO, new.S_fsm.srcl , new.S.fsm.spf, new_S.fsm.scOf, new_S_fsm.se If, new.S.fsm.spmf, 
new_S fsm_sb, new_S_fsm_src, new.S.fsm.sec, new.S.fsm.sxs , n ew _S _fsm_scs , new_S_soft_shot, 
new_S.soft_shot.delA, new.S.soft.cntA, new.S.delayA, new_S Jnstart, new.S.cpu.histA, new.S.fsm.state, 
new.S.fsm.rst, new_S_fsm_delay6, new_S_fsm_delayl7, new.S.fsm.bothbad , new_S_fsm_bypass, 
new_S.soft_shot.del, new_S.soft.cnt, new.S.delay, new.S_bad.cpuO, new.S_bad.cpul, new.S_Teset.cpuO, 
new.S_reset.cpul, new.S_pmm.fail, new.S_cpuO.fail, new_S.cpul.fail, new_S.cpu.hist, new_S_piu_fail)” 

);; 

% 

Output definition for Phase-B instruction. 

% 


let PH.B_out.def = new.definition 
(TH.B.out 4 , 

“! (S.fsm.stateA S.fsm.state :sfsm_ty) 

(S_soft.cn tA S.delayA S_soft_cnt S.delay :wordn) 

(S.fsm.sn S.fsm.so S.fsm.srcp S.fsm.sdi S_fsm_srp S.fsm.srcO S.fsm.srcl S_fsm_spf S.fsm.scOf 
S.fsm.sc 1 f S.fsm.spmf S_fsm_sb S.fsm.src S_fsm_sec S.fsm_srs S_fsm_scs S_soft_shot S.soft.shot.delA 
S .in start S.cpu.histA S.fsm.rst S_fsm_delay6 S_fsm_delayl7 S.fsm.bothbad S.fsm.bypass 
S_soft_shot.de! S.bad.cpuO S.bad.cpul S.reset.cpuO S.reset.cpul S_pmm_fail S.cpuO.fail S.cpul.fail 
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S_cpu Just SjriuJail :bool) 

(ClkA ClkB Rst Bypass Test Gcrb Gcrl FailureO_ Failure 1_ :bool) . 

PHJB_out (S_fsm_stateA, S__fsm_sn, SJsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_sip l S_fsm_srcO, SJsm_srcl, 
S„fsm_spf, S_fsm_scOf, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, 
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, SJn start, S_cpuJiistA, 
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsm_bothbad, SJsmJ>ypass, 
S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpuO, SJ>ad_cpul, Sj-eset_cpuO, S_reset_cpul, 
S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_cpu_hist, S_piu_fail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failure 1 J = 

let s_so ft_c □ t_o ut = ((S_soft_shot A ~S_soft_shot_deLA) => (INCN 2 S_soft_cntA) I S_soft_cntA) in 

let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) 1 S_delayA) in 

let s_cpuO_ok = (S_fsm_scOf A FailureO_ A (s_soft_cnt_out * (WORDN 5))) in 

let s_cpul_ok = (S_fsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 

let new_S_soft_shot_del = S_soft_shot in 

let new_S_soft_cnt = ((-Gcrb A -Gcrl) => (WORDN 0) t s_soft_cnt_out) in 
let new_S_delay = s_delay_out in 
let new_S _pmm_fail = 

((S_fsm_sb A ~S_fsm_spmf) => T I 
((~S_fsm_sb A S_fsm_spmf) => F I 
((-S_fsm_sb A -S_fsm_spmf) => S_pmm_fail I ARB))) in 
let new_S_cpuO Jail = 

((S J$m_sb A ~(s_cpuO_ok V Bypass)) => T I 
((~S Jsm_sb A (s_cpuO_ok V Bypass)) => F I 
((~S_fsm_sb A ~(s_cpuO_ok V Bypass)) => S_cpuO_fail I ARB))) in 
let new_S_cpu 1 _fail = 

((S Jsm_sb A ~(s_cpul_ok V Bypass)) => T I 
((~S_fsmj5b A (s_cpul_ok V Bypass)) => F I 
((~SJsm_sb A -(s_cpul_ok V Bypass)) => S_cpul Jail I ARB))) in 
let new_S_piu_fail = 

((S Jsm_sb A -(S_fsm_spf V Bypass)) => T I 
((~SJsm_sb A (S_fsm_spfV Bypass)) => F I 
((-S_fsm_sb A ~(S Jsm_spf V Bypass)) => S_piu_fail I ARB))) in 
let s_cpuO_select = ((S_fsm_sn V S Jsm_so) A ~ne w_S_cpuO Jail ) in 
let s_cpul_select = ((S_fsm_sn V S_fsm_so) A new_S_cpuOJail A ~new_S _cpu 1 _f ail ) in 
let new J5 J>ad_cpuO = 

((SJsm_sb A ~s_cpuO_select) *> T I 
((~S Jsm_sb A s_cpuO_select) => F I 
((-S_fsm_sb A ~s_cpuO_select) => S_bad_cpuO I ARB))) in 
let new_S_bad_cpul = 

((S_fsm_sb A ~s_cpul_select) => T I 
((~SJsm_sb A s_cpul_select) => F I 
((~S Jsm_sb A ~s_cpul_select) => S J>ad_cpul I ARB))) in 
let new_S_reset_cpuO = (new_S_bad_cpuO A S_fsm_srcO) in 
let new_S_reset_cpu 1 = (new_S_bad_cpul A S_fsm_srcl) in 
let new_S_cpu_hist = S_cpu_histA in 
let new_S_fsm_state = S_fsm_stateA in 
let new_S Jsm_rst = Rst in 

let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in 

let new J5 Jsm_delayl7 = ((Test) ~> (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in 

let new_S_fsm_bothbad = (new_S_cpuO_fail A new_S_cpul_fail) in 

let ne w_S _fsm_b ypass = Bypass in 

let new_S Jsm_stateA = SJsm_stateA in 

let new_S Jsm_sn = S_fsm_sn in 
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let new_S_fsm_so = S_fsm_so in 

let new_S_fsm_srcp = S_fsm_srcp in 

let new_S_fsm_sdi = S_fsm_sdi in 

let new_S_fsm_srp = S_fsm_srp in 

let new_S_fsm_srcO = S_fsm_srcO in 

let new_S_fsm_srcl = S_fsm_srcl in 

let new_S_fsm_spf = S_fsm_spf in 

let new_S_fsm_scOf = S_fsm_scOf in 

let new_S_fsm_sclf = S_fsm_sclf in 

let new_S_fsm_spmf = S_fsm_spmf in 

let new_S_fsm_sb = S_fsm_sb in 

let new_S_fsm_src = S_fsm_src in 

let new_S_fsm_sec = S_fsm_sec in 

let new_S„fsm_srs = S_fsm_srs in 

let new_S_fsm_scs = S_fsm_scs in 

let new_S_soft_shot = S_soft_shot in 

let new_S_soft_shot_delA = S _so ft_s h o t_d elA in 

let new_S_soft_cntA = S_soft_cntA in 

let new_S_delayA = S_delayA in 

let new_S_instart = S_instart in 

let new_S_cpu_histA = S_cpu_histA in 

let ssO = (ALTER ARBN (0) ((new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP) 

V ( new_S_fsm_stateA = SCS) V (new_SJsm_stateA = SN) 

V ( new_S_fsm_stateA = SO))) in 

let ssl = (ALTER ssO (1) ((new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) 

V (new_S_fsm_stateA = SC II) V (new_S_fsm_stateA = SC1F) 

V (new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP) 

V (new_S_fsm_stateA = SCS))) in 

let ss2 = (ALTER ssl (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SCOI) 

V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) 

V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SO))) in 
let ss3 = (ALTER ssl (3) ((new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SPF) 

V (new_S_fsm_state A = ST) V (new_S_fsm_stateA = SC1I) 

V (new_S_fsm_stateA = SCS) V (new_S Jsm_stateA = SN) 

V (new_S_fsm_stateA = SO))) in 

let S_state = ss3 in 

let Reset_cport = new_S_fsm_srcp in 

let Disablement = (~new_S_instart A ~(new_S_fsm_sn A (ELEMENT s_delay_out (6))) A new_S_fsm_sdi) in 

let Reset_piu = new_S_fsm_srp in 

let Reset_cpuO = new_S_reset_cpuO in 

let Reset_cpul = new_S_reset_cpul in 

let Cpu_hist = new_S_cpu_hist in 

let Piu_fail = new_S_piu_fail in 

let CpuO_fail = new_S_cpuO_fail in 

let Cpul_fail = new_S_cpu 1 _fail in 

let Pmm_fail = new_S_pmm_fail in 

(S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpuO, Reset_cpul.Cpu_.hist. Piu_fail, CpuO_fail, 
Cpul_fail, Pmm_fail)” 

);; 

close_theory();; 
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Appendix D ML Source for the Clock-Level Specification of the PIU Ports. 

This appendix contains the HOL models for the clock-level specification for the PIU ports. The ports 
are listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont. 

D.l P Port Specification 

File: p_clockl.ml 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the clock- level specification of the P-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

The bulk of this code was translated from an M-language simulation program using a translator 
written by PJ. Windley at the University of Idaho. 




set_search_path (search_path() ® I‘/home/titan3/dfura/ftep/piu/hol/lib/‘]);; 
system 4 rm p_clock 1 .th * 
new_theory ‘p_clockl‘;; 

map new_parent [ 4 paux_def 4 ; ‘aux_def‘ ; 4 array_def* ; 4 wordn_def 4 ] ;; 

let pc_state_ty = 4 ‘: (word d# boo l#wordn# boo l#pfsm_ty# boo l#bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool) ,> ;; 
let pc_state = “((P_addr, P_destl, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack t P_fsm_cgnt_, P_fsm_hold_, 

P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) 

: A pc_state_ty)”;; 

let pc_env_ty = 4 ‘:(bool#bool#bool#wordD#bool#bool#wordD#bool#bool#wordn#bool#bool#bool)”;; 
let pc_env = “((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_deo_, L_be_, L_wr, LJock_, I_ad_in, I_cgnt_, I_bold_, I_srdy J 
: A pcjenv_ty)”;; 

let pc_out_ty = “:(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool)”;; 

let pc_out = “((L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_jnale_, I_crqt_, I_cale_, 

I_mrdy_, I_last_, I_hlda_, I_lock_) 

: A pc_out_ty 


% 

Next-state definition for EXEC instruction. 

let pEXEC Jnst__def = new_definition 
(‘pEXECJnst 4 , 

44 1 (P_fsm_state :pfsm_ty) 

(P_addr P_be_ P_size :wordn) 

(P destl P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ 
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P_lock_inh_ P_male_ P_rale_ :bool) 

(L_ad_in L_be_ I_ad_in:wordn) 

(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ Lbold_ I_srdy_ :bool) . 

pEXECJnst (P_addr, P_destl, P_be_, P_wr, P_fsm__state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, 
p_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) 

(ClkA, ClkB, Rst, L_ad_m, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, 
I_srdy_) = 


let new_P_fsm_state = 

((P_fsm_rst) => PA I 

((P_fsm_state = PH) => ((~P_fsm_bold_) => PH I PA) I 
((P_fsm_state = PA) => 

(((P_rqt A ~P_destl ) V (P_rqt A P_destl A ~P_fsm_cgntJ) => PD I 
((-P_fsm_hold_ A P_lock_) => PH I PA)) I 
((P_fsm_state = PD) => 

~(((P_fsm_sack A P_fsm_hold_) V (P_fsm_sack A ~P_fsm_bold_ A -PJockJ) => PA I 
((P_fsm_sack A -P_fsm_hold_ A PJockJ => PH I PD)) I PJLL)))) in 
let new_P_addr = ((-P_rqt) => (SUBARRAY L_ad_in (25,0)) I P_addr) in 
let new_P_destl = ((-P_rqt) => (ELEMENT L_ad_in (31)) I P.destl) in 
let new_P_be_ = ((-P_rqt) => L_be_ I P_beJ in 
let new_P_wr = ((-P_rqt) => L_wr I P_wr) in 
let new_P_size = 

((-P_rqt) => (SUBARRAY L_ad_in (1,0)) I 
((P_down) => (DECN 1 P_size) I P_size)) in 
let p_ale = (~L_ads_ A L_den J in 

let p_sack = ((P.size = ((P_down) => (WORDN 1 ) I (WORDN 0))) A -I_srdy_ A (new_P_fsm_state = PD)) in 
let new_P_rqt = 

((p_ale A -(p_sack V Rst)) => T I 
((~P_ale A (p_sack V Rst)) => F I 

((~P_ale A ~(p_sack V Rst)) => P_rqt I ARB))) in 
let new_P.down = (~I_srdy_ A (oew_P_fsm_state = PD)) in 
let new_P male_ = ((new_P_fsm_state = PA) => 

~(-new_P_destl A (-((SUB ARRAY new_P_addr (25,24)) = (WORDN 3))) A new_P_rqt) I P_maleJ in 
let new_P_rale_ = ((new_P_fsm_state = PA) => 

K-new.P.destl A ((SUB ARRAY new_P_addr (25,24)) = (WORDN 3)) A new_P_rqt) l P.raleJ in 
let new_P_lock_ = 

((Rst) => T I 

((new_P_fsm_state = PD) => LJock_ I P_lock_)) in 
let new_P_lock_inh_ = 

((Rst) => T l 

((~new_P_male_ V ~new_P_raleJ => L Jock_ I PJock.inh J) in 
let oew_P_fsm_rst = Rst in 
let new_P_fsm_sack = p_sack in 
let new_P_fsm_cgnt_ = I_cgnt_ in 
let new_P_fsm_hold_ = I_hold_ in 

(new_P_addr, new_P_destl , new J*_be_, new_P_wr, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_sack, 
new_P_fsm_cgnt_, new_P_fsm_bold_, new_P_rqt, new_P_size, new_P_down, new_PJock_, new_PJock_inh_, 
new_P_male_, new_P_rale_)” 

);; 


Output definition for EXEC instruction. 
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■% 


let pEXEC_out_def = oew_de6nition 
( l pEXEC_out\ 

“I (P_fsm_state :pfsm_ty) 

(P_addr P_be_ P_size :wordn) 

(P_destl P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ 

P_lock_inh_ P_male_ P_rale_ :bool) 

(L_ad_in L_be_ I_ad_in:wordn) 

(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_ :bool) . 
pEXEC_out (P_addr, P_destl, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, 
Prqt, P_size, P_down, P_lock_, P_lock_mh_, P_male_, P_rale_) 

(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, 
I_srdy_) = 

let new_P_fsm_state = 

((P_fsm_rst) => PA I 

((P_fsm_state = PH) => ((-PJsmJioldJ => PH l PA) I 
((P_fsm_state = PA) => 

(((P_rqt A ~P_destl ) V (P_rqt A P_destl A ~P_fsm_cgnt_)) => PD I 
((-P.fsmJiokL A PJockJ => PH I PA)) I 
((P_fsm_state - PD) => 

(((P_fsm_sack A P_fsm_hold_) V (P_fsm_sack A ~P_fsm_hold_ A -P_Iock_J) => PA I 
((P_fsm_sack A ~P_fsm_hold_ A P_lock_) => PH I PD)) I P_ILL)))) in 
let new_P_addr = ((-P _rqt) => (SUBARRAY L_ad_in (25,0)) I P_addr) in 
let new_P_destl = ((~P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in 
let new_P_be_ = ((-P_rqt) => L_be_ I P_be_) in 
let new_P_wr = ((~P_rqt) => L_wr I P_wr) in 
let new_P_size = 

((-P.iqt) => (SUB ARRAY L_ad_in (1,0)) I 
((P_down) => (DECN 1 P_size) i P_size)) in 
let p_ale = (~L_ads_ A L_den_) in 

let p_sack = ((new_P_size = ((P_down) => (WORDN 1) 1 (WORDN 0))) A ~I_srdy_ A (new_P_fsm_state = PD)) in 
let new_P_rqt = 

((p_ale A -<p_sack V Rst)) => T I 
((~p_ale A (p_sack V Rst)) => F I 

((-p_ale A ~(p_sack V Rst)) => P_rqt I ARB))) in 
let new_P_down = (~I_srdy_ A (new_P_fsm_state = PD)) in 
let new_P_male_ = ((new_P_fsm_state = PA) => 

~(~new_P_destl A (-((SUB ARRAY new_P_addr (25,24)) = (WORDN 3))) A new_Pjqt) I P.maleJ in 
let new_P_rale_ - ((new_P_fsm_state = PA) => 

-(-new_P_destl A ((SUB ARRAY new_P_addr (25,24)) = (WORDN 3)) A new_P_rqt) 1 P.raleJ in 
let new_P_lock_ = 

((Rst) => T I 

((new_P_fsm_state = PD) => L_lock_ I P_lockJ) in 
let new_P_lock^inh_ = 

((Rst) => T I 

((~new_P_male_ V -new_P _jale_) => L_lock_ I P_lock_inh_)) in 
let new_P_fsm_rst = Rst in 
let new_P_fsm_sack = p_sack in 
let new_P_fsm_cgnt_ = I_cgnt_ in 
let new_P_fsm_hold_ = I_hold_ in 
let L_ad_out = (((-(new_P_fsm_state = PA)) 

A (~(new_P_fsm_state = PH)) 
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A ~((new_P_fsm_state = PD) A new_P_wr)) => I_ad_in I ARBN) in 
let L_ready_ = ~(~I_srdy_ A (new_P_fsm_state = PD)) in 
let odO = ARBN in 

let odl = (MALTER odO (31,27) new_P_be_) in 
let od2 = (ALTER odl (26) F) in 

let od3 = (MALTER od2 (25,24) (SUB ARRAY new_P_addr (1,0))) in 

let od4 = (MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2))) in 

let I_ad_addr_out = ((new_P_fsm_state = PA) => od4 I ARBN) in 

let I_ad_data_out = (((new_P_fsm_state = PD) A new_P_wr) => L_ad_in I ARBN) in 

let I _be_ = ((~(new_P_fsm_state = PH)) => ((new_P Jsm_state = PA) => new_P_be_ I L_be_) I ARBN) in 

let I_rale = ((~(new_P_fsm_state = PH)) => 

-(-new_P_destl A ((SUB ARRAY new_P_addr (25,24)) = (WORDN 3)) A (new_P_fsm_state = PA) 

A new _P_rqt) I ARB) in 

let I_male = ((~(new_P_fsm_state = PH)) => 

-(-new P_destl A (-((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A (new_P_fsm_state = PA) 

A new_P_rqt) I ARB) in 

let I_crqt_ = ~(new_P_destl A new_P_rqt) in 

let I_cale_ = ~(~I_cgnt_ A (new_P_fsm_sUte = PA) A I_hold J in 

let I mrdy = ( ( -( new_P Jsm_state = PH)) => F I ARB) in 

let I_last_ = ((-(new_P_fsm_state = PH)) => (P_size = ((P_down) => (WORDN 1) I (WORDN 0))) I ARB) in 

let I_hlda_ = -(new_P_fsm_state = PH) in 

let I Jock_ = -(~new_P_lock_ A new_P Jock _inh_) in 

(L_ad_out, L_ready_, Lad_data„out, I_ad_addr_out, I_be_ ( I_rale_, I_male_, I_crqt_, Lcale_, Ijnrdy_, 
IJast_, I_hlda_, IJockJ” 

);; 

close_theory();; 
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D.2 M Port Specification 


File: m_clock 1 jnl 

Author (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the clock-level specification of the M-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M -language simulation program using a translator 
written by PJ. Windley at the University of Idaho. 


% 


set_search_path (search_path() @ [ ‘ /home/ti tan3/df ura/ftep/piu/hol/lib/ 4 ] ); ; 
system ‘nn m_clockl .th 4 ;; 
new_theory k m_clockl ';; 
loadf 'abstract';; 

map new_j>arent [ 4 maux_def aux_def ; 4 array_def ; 4 wordn_def ] ; ; 

let mc_state_ty = “:(mfsm_ty#bool#bool#bool#bool#wordn#bool#bool#wordD#wordD#bool#bool#bool#wordn#wordn)”;; 
let mc_state = 4 ‘((M_fsm_state, M_fsm _jnale_, M_fsm_last_, M_fsm_mrdy_, M_fsm_jst, M_count, M_se, M_wr, M_addr, 
M_be, M_jdy, M_wwdel, M_parity, M_rd_data, M_detect) 

: A mc_state_ty)”;; 

let mc_env_ty = “:(bool#bool#bool#bool#bool#wordn#bool#bool#wordD#bool#wordn#bool#bool)”;; 
let mc_env = 44 ((ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_data_m, Edac_en_, Reset_panty) 

: A mc_env_ty)”;; 

let mc_out_ty = M :(wordn#bool#wordD#wordD#bool#bool#bool#bool#bool)”;; 

let mc_out = “((I_ad_out, I_srdy_, MB_addr, MB_data_out, M B_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity) 
: A mc_out_ty) M ;; 

let rep_ty = abstract_type 4 aux_def‘ 4 Andn 4 ;; 

% 

Next-state definition for EXEC instruction. 


let mEXEC_inst_def = new_definition 
(‘mEXEC_inst‘, 

“! (M_fsm_state :mfsm_ty) 

(M_count M_addr M_be M_rd_data M_detect :wordn) 

(M_fsm_male_ M_fsm_Iast_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M ^parity :bool) 
(I_ad_in I_be_ MB_data_in :wordn) 
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(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) 
(rep: A rep_ty) . 

mEXEC_inst (M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M.count, M_se, M_wr, M_addr, 
M_be, M_rdy, M_wwdel, M_parity, M_id_data, M_detect) 

(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, l_ad_in, I_male_, I_last_, I_be_, 

I_mrdy_, MB_data_in, Edac_en_, Reset_parity) 
rep = 


let m_bw = ((-(M_be = (WORDN 15))) A M_wr A (~(M_fsm_state = MI))) in 
let m_ww = ((M_be = (WORDN 15)) A M_wr A (-(M_fsm_state = MI))) in 
let new_M_fsm_state = 

((M_fsm_rst) => MI I 

((M_fsm_state = MI) => (( ~M_f sm_male_) => M A I MI) I 
((M_fsm_state = MA) => 

((-M_fsm_mrdy_ A m_ww) => MW I 

(( ~M_f sm_mrdy_ A ((~M_wr A (~(M_fsm_state = MI))) V m_bw)) => MR I MA)) I 
((M_fsm_state = MR) => 

((m_bw A (M_count = (WORDN 0))) => MBW I 

((M_fsm_last__ A -M_wr A (~(M_fsm_state = MI)) A (M.count = (WORDN 0))) => MA I 
((~M Jsm_last_ A -M_wr A (~(M_fsm_state = MI)) A (M_count = (WORDN 0))) => MRR I MR))) I 
((M_fsm_state = MRR) => MI I 
((M_fsm_state = MW) => 

((~M_fsm Jast_ A (M_count = (WORDN 0))) => MI I 
((M_fsm_last_ A (M_count = (WORDN 0))) => MA I MW)) I 
((M_fsm_state = MBW) => MW I M_ILL))))))) in 
let new_M_se = ((~I_male_) => (ELEMENT I_ad_in (23)) ! M_se) in 
let new_M_wr = ((-I jm alej => (ELEMENT I_ad_m (27)) I M.wr) in 
let new_M_addr = 

((~I_maleJ => (SUB ARRAY I_ad_in (18,0)) I 
((M_rdy) => (ENCN 18 M_addr) I M_addr)) in 
let new_M_count = 

((( new_M_f sm_s tate = MA) V (new_MJsm_state = MBW)) => ((new_M_se) => (WORDN 1) I (WORDN 2)) I 
(((new_M_fsm_state = MW) V (new_M_fsm_state = MR)) => (DECN 2 M.count) I M_count)) in 
let m_rdy = (((new_M_fsm_state = MW) A (new_M_count = (WORDN 0))) 

V (( oew_M_f sm_state = MR) A (new_M_count = (WORDN 0)) A ~new_M_wr» in 
let m_srdy_ = ~((M_rdy A ~new_M_wr) V (m_rdy A new_M_wr)) in 
let new_M_be = ((~I_male_ V ~m_srdy_) => (NOTN 3 I_be_) I M_be) in 
let new_M_rdy = m_rdy in 

let new_M_wwdel = ((new_M_fsm_state = MA) A new_M_wr A (new_M_be = (WORDN 15))) in 
let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) I M_rd_data) in 
let new_M_detect = 

((((new_M_fsm_state = MR) A ~new_M_wr) V new_M_wr V (new_M _fsm_state = MI)) => 

((-Edac_en_) => (Ham_Detl rep MB_data_in) I WORDN 0) I M.detect) in 
let m_error = (~m_srdy_ A (~(new_M_fsm_state = MI)) A Ham_Det2 rep (new_M_detect, -Edac.en J) in 
let new_M_parity = 

((m_error A -(Rst V Reset ^parity)) => T I 
((-m_error A (Rst V Reset_parity)) => F I 
((-m_error A -(Rst V Reset_parity)) => M_parity I ARB))) in 
let new_M_fsm_male_ = I_male_ in 
let new_M_fsm_last_ = I_last_ in 
let new_M_fsm_mrdy_ = I_cordy_ in 
let n ew_M _f sm_r st = Rst in 


(new_M_fsm_state, new_M_fsm_male_, new_M_fsm_last_, new Jtf_fsm_mrdy_, new_M_fsm_rst, new_M_count, 



oew_M.se, new.M.wr, new_M_addr, new_M.be, new.M.rdy, new.M.wwdel, new_M_parity, new_M_rd_data, 
oew.M.detect)” 

);; 

% 

Output definition for EXEC instruction. 

% 


let mEXEC_out_def = new.defimtion 
(‘mEXEC.out 4 , 

“! (M_fsm_state :mfsm_ty) 

(M_count M.addr M_be M.rd.daia M_detect :wordn) 

(M_fsn^_male_ M.fsm.last. M_fsm_mrdy_ M.fsm.rst M.se M.wr M.rdy M_wwdel M_parity :bool) 

(I_ad_in I_be. MB.data.in :wordn) 

(ClkA ClkB Rst Disable.eeprom Dis able.wri tes I_male_ IJast. I.mrdy. Edac.en. Reset_parity rbool) 
(rep: A rep_ty) . 

mEXEC_out (M.fsm.state, M.fsm.male., M.fsm.last., M.fsm.mrdy., M_fsm.rst, M.count, M.se, M.wr; M.addr, 
M.be, M_rdy, M.wwdel, M^parity, M.rd.data, M_detect) 

(ClkA, ClkB, Rst, Disable_eeprom, Disable. writes, I. ad. in, I.male., I.last., I_be_, 

I.mrdy., MB.data.in, Edac.en., Reset_parity) 
rep = 


let m_bw = ((-(M.be = (WORDN 15))) A M_wr A (-(M.fsm.state = MI))) in 
let m.ww = ((M_be = (WORDN 15)) A M_wr A (-(M.fsm.state = MI))) in 
let new.M.fsm.state = 

((M^fsmjst) => MI I 

((M.fsm.state = MI) => (( -M.fsm.male J => MA I MI) I 
((M_fsm_state = M A) => 

((-M.fsm.mrdy. A m.ww) => MW I 

((-M.fsm.mrdy. A ((-M.wr A (-(M.fsm.state = MI))) V m.bw)) => MR I MA)) I 
((M.fsm.state = MR) => 

((m_bw A (M.count = (WORDN 0))) => MBW I 

((M.fsm.last. A -M.wr A (-(M.fsm.state = MI)) A (M.count = (WORDN 0))) => MA I 
((-M.fsm.last. A -M.wr A (-(M.fsm.state = MI)) A (M.count = (WORDN 0))) => MRR I MR))) I 
((M.fsm.state = MRR) => MI I 
((M.fsm.state = MW) => 

((-M.fsm.last. A (M .count = (WORDN 0))) => MI I 
((M.fsm.last. A (M.count = (WORDN 0))) => MA I MW)) l 
((M_fsm_state = MBW) => MW I M JLL))))))) in 
let new.M.se = ((-I.male.) => (ELEMENT I.ad.m (23)) I M.se) in 
let new.M.wr = ((-IjmaleJ => (ELEMENT I.ad.m (27)) I M.wr) in 
let new.M.addr = 

((-I.male J => (SUBARRAY I.ad.in (18,0)) I 
((M.rdy) => (INCN 18 M.addr) I M.addr)) in 
let new.M.count = 

( ( ( new.M.f sm.s tate = MA) V (new.M.fsm.state = MBW)) => ((new.M.se) => (WORDN 1) I (WORDN 2)) I 
(((new.M.fsm.state = MW) V (new.M.fsm.state = MR)) => (DECN 2 M.count) I M.count)) in 
let m.rdy = (((new.M.fsm.state = MW) A (new.M.count = (WORDN 0))) 

V ((new.M.fsm.state = MR) A (new.M.count = (WORDN 0)) A -new.M.wr)) in 
let m.srdy. = -((M.rdy A -new.M.wr) V (m.rdy A new.M.wr)) in 
let new_M.be = ((-I.male. V -m.srdy.) => (NOTN 3 I.beJ I M.be) in 
let new ^M^dy = m.rdy in 

let new.M.wwdel = ((new.M.fsm.state = MA) A new.M.wr A (new_M.be = (WORDN 15))) in 
let new.M_rd.data = (((new.M.fsm.state = MR)) => (Ham.Dec rep MB.data.in) I M.rd.data) in 


188 


let new_M_detect = 

((((new_M_fsm_stale = MR) A -new _M_wr) V new_M_wr V (new_M_fsm_state = MI)) -> 

((— Edac_en_) => (Ham_Detl rep MB_data_in) I WORDN 0) I M_detect) in 
let m_eiror = (~m_srdy_ A (~(new_M_fsm_state = MI)) A Ham_Det2 rep (new_M_detect, -Edac_en J) in 
let new_M _panty = 

((m_error A ~(Rst V Reset^parity)) => T I 
((-m_error A (Rst V Reset ^parity)) => F I 
((~m_error A -(Rst V Reset_parity)) => M_parity I ARB))) in 
let new_M_fsm_male_ = I_male_ in 
let new _M_fsm_last_ = I_last_ in 
let new_M_fsm_mrdy_ = I_mrdy_ in 
let new_M_fsm_rst = Rst in 

let I_ad_out = ((-new_M_wr A (~(new_M_fsm_state = MI))) => M_rd_data I ARBN) in 
let l_srdy_ = ((( -( new_M_fsm_s tate = MI))) => m_srdy_ I ARB) in 
let MB_addr = ((M_idy) => (INCN 1 8 M_addr) I M_addr) in 

let mb_data_7_0 = (((ELEMENT M_be (0))) => (SUB ARRAY I_ad_in (7.0)) I (SUBARRAY M_rd_data (7.0))) in 
let mb_data_15_8 = (((ELEMENT M_be (1))) => (SUBARRAY I_ad_in (15.8)) I (SUBARRAY M_rd_data (15,8))) in 
let mb_data_23_16 = (((ELEMENT M_be (2))) => (SUBARRAY I_ad_in (23,16)) I (SUBARRAY M_rd_data (23,1 6))) in 
let mb_data_3 1_24 = (((ELEMENT M_be (3))) => (SUB ARRAY I_ad_in (31.24)) I (SUB ARRAY M_rd_data (31 ,24))) in 
let mb data = ((MALTER (M ALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0) 

(15,8) mb_data_15_8) 

(23,16) mb_data_23_16) 

(31,24) mb_data_3 1_24)) in 

let MB_data_out = ((new_M_fsm_state = MW) => (Ham_Enc rep mb_data) I ARBN) in 

let MB_cs_eeprom_ = -((-(new_M_fsm_state = MI)) A -new_M_se) in 

let MB_cs_sram_ = -((-( new_M_f sm_state = MI)) A new_M_se) in 

let MB_we_ = ~((new_M_se V -(-(new_M_fsm_state = MI)) V -Disable_eeprom) 

A -Disable_writes 

A ((new_M_fsm_state = MBW) V (new_M_fsm_state = MW) V new_M_wwdel)) in 
let MB_oe_ = -((-new_M_wr A (new_M_fsm_state = MA)) V (new Jrt_fsm_state = MR)) in 
let MB_parity = new_M_parity in 

(I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_panty)” 

);; 

close_theory();; 
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D.3 R Port Specification 


%■ 


File: 

r_clockl .ml 

Author: 

(c) D.A. Fura 1992 

Date: 

31 March 1992 


This file contains the ml source for the clock-level specification of the R-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M-language simulation program using a translator 
written by PJ. Windley at the University of Idaho. 


% 


set_search_path (search_patb() @ [ ‘/home/dtan3/dfura/ftep/piu/ho 1/lib/ 4 ] ) ;; 
system 4 rm r_clock 1 .th 4 ;; 
new_theory ‘r_dockl‘;; 
loadf ‘abstract 4 ;; 

map new^parent [ 4 raux_def ‘ ; 4 aux_def ‘ ; 4 array _def‘ ; 4 wordn_der ] ; ; 

let rc_state_ty = “:(rfsm_ty#bool#bool#bool#bool#bool#wordn#bool#wordn#bool#wordn#bool#wordD#bool#wordn#bool# 

wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordD#bool# 
wordn#bool#wordn#bool#wordn#bool#bool#woidn#wordn#bool#wordn#wordD#bool#wordn#bool#wordn# 
bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordD#wordn)’ t ;; 
let rc_state = 4 ‘((R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctrO_in, R_ctrO_mux_sel, R_ctrO, 
R-CtrO_irden, R_ctrO_new, R_ctiO_cry, R_ctrO_out, R_ctrO_orden, R_ctrl_in, R_ctrl_mux_sel, 

R_ctrl, R_ctrl Jtrden, R__ctil_ncw, R_ctrl_cry, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, 
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, 
R_ctr3, R_ctr3_irden, R_ctr3_new > R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, 
R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_iden, R_sr, R_sr_rden, R_intO_dis, 
R_mt3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, 
R_reg_sel, R_busA_latch) 
i^^state^ty)”;; 

let rc_env_ty = 44 :(bool#booI#wordD#bool#bool#wordn#bool#bool#bool#wordn#wordn#bool#bool# 
wordn#wordn#wordn#bool#bool#wordn)’ ’ ; ; 

let rc_env = “((ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disablejnt, Disable_writes, 

Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannellD, CB .parity, MB_parity, C_ss) 

: A rc_env_ty) ,> ;; 

letr_out_ty = “:(wordn#bool#bool#bool#bool#bool#wordn#wordn#bool#bool)”;; 

let r_out = “((I_ad_out, I_srdy_, IntO_, Inti, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid) 

^.out.tyr;; 

let rep_ty = abstract_type ‘aux_def ‘Andn 4 ;; 
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% 


Next-state definition for EXEC instruction. 


•% 


let rEXEC_ins t_def = new_defimtion 
(‘rEXEC_inst\ 

“! (rep ^ep.ty) 

(R_fsm_state :rfsm_ty) 

(R_ctrO_in R_ctrO R_ctrO_new R_ctrO_out R_ctrl_in R_ctrl R_c«rl_new R_ctrl_out R_ctr2_in R_ctr2 R_ctr2_new 

R_ctj2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R _icr_old R_icr_mask R_icr R_ccr R_gcr R_sr R_reg_sel 

R_busA_lateh :wordn) 

(R_fsm_ale_ R_fsm _mrdy_ R_fsmjast_ R_fsm_rst R_ctrO_mux_sel R_ctrO_irden R_ctrO_cry R_ctrO_orden 

R_ctrl_mux_sel _ _ . 

R_ctrl_irden R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel 

R ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R Jcr_rden R.ccrjrden R_gcr_rden R_sr_jden R_intO_dis 

R~int3_dis R_c01_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cutlafch_del R_srdy_del_ :bool) 

(I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannellD C_ss :wordn) 

(ClkA Rst I_rale_ I_last_ I_mrdy_ Disablejnt Disable_writes Piu_fail Pmm_fail CB_parity MB_panty :bool) . 

rEXEC_inst rep . D 

(R_fsm_state, R_fem_ale_ R_fsm_mrdy_. R_fsm_last_, R_fsm_rst, R_ctaO_in, R_ctrOjnux_seI, R.ctrO, 

R_ctrO_irden, R_ctrO_new, R_ctiO_cry, R_ctrO_out, R_cdO_orden, R_ctrl_in, R_ctrl_mux_sel, 

R_ctrL R_ctrl Jrden, R_ctrl_new, R_ctrl_ciy, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, 
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_ciy, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, 
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_oideD, RJcrJoad, R_icr_old, 
R_icr_mask, R_icr_rden, RJcr, R_ccr, R_ccT_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_intO_dis, 
R_int3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del. R_int2_en. R_wr, R_cntlatch_del, R_srdy_del_, 
R reg_sel, R_busAJatch) 

(ClkA, Rst, I_ad_in, I_rale_, I_last_, I_b e _* I_nirdy_, Disable_int, Disable_writes, 

Cpu.fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChanneUD, CB_parity, MB_parity, C_ss) = 

let new_R_fsm_state - 

((R_fsm_rst) => RI l 

((R_fsm_state = RI) => ((-R_fsm_ale_) => RA I RI) I 
((R_fsm_state = RA) => ((-R_fsm_mrdy_) => RD I RA) I 
((-R_fsm_last_) => RI I RA)))) in 
let r_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale_) in 
let r_fsm_srdy_ = ~((R_fsm_state = RA) A -R_fsm_mrdyJ in 
let new_R_wr = ((-I.raleJ => (ELEMENT I_ad_in (27)) I R_wr) in 
let new_R_cntlatch_del = r_fsm_cntlatch in 
let new_R_srdy_del_ = r_fsm_srdy_ in 
let new_R_reg_sel = 

((-I.raleJ => (SUB ARRAY I_ad_in (3,0)) I 
((-R_srdy_del_) => (INCN 3 R_reg_sel) I R_reg_sel)) in 
let r_reg_sel = ((-R_srdy_del J => (INCN 3 R_reg_sel) I R_reg_sel) in 
let r_writeA = (-Disable_writes A R_wr A (new_R_fsm_state = RD)) in 
let r_writeB = (~Disable_writes A new_R_wr A (new_R_fsm_state = RD)) in 
let r_readA = (~R_wr A (new_R_fsm_state = RA)) in 
let r_readB = (~new_R_wr A (new_R_fsm_state = RA)) in 

let r_cir_wi01A = ((r.writeA A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in 
let rIcir_wi01B = ((r.writeB A ((r_reg_sel = (WORDN 8)) V (r_yeg_sel = (WORDN 9))))) in 
let r_cir_wr23A = ((r.writeA A ((r_reg_sel = (WORDN 10)) V (r jeg_sel = (WORDN 11))))) in 
let r_cir_wr23B = ((r_writeB A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11 ))))) in 
let new_R_ccr = ((r_writeB A (r_reg_sel = (WORDN 3))) => l_ad_in I R_ccr) in 
let new_R_ccr_rden = (r_readB A (r_reg_sel = (WORDN 3))) in 
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let new_R_gcr = ((r_writeB A (r_reg_sel = (WORDN 2))) => I_ad_in I R_gcr) in 
let new_R_gcr_rden = (r_readB A (r_reg_sel = (WORDN 2))) in 
let new_R_c01_cout_del = R_ctrl_cry in 
let new_R_intl_en = 

((((ELEMENT new_R_gcr (18)) A (r_cir_wi01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A Rjtf l_cout_del))) => T I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => F I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
-(-{ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_cO 1 _co ut_del) )) => R_intl_en I ARB))) in 
let new_R_c23_cout_del = R_ctr3_cry in 
let new_R_int2_en = 

((((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_cti3_cry A (ELEMENT new_R_gcr (20))))) A 
-{-(ELEMENT new.Rjcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => T I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => F I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21 )) A R_c23_cout_del))) => R_int2_en I ARB))) in 
let new_R_ctrO_in = ((r_wnteB A (r_reg_sel = (WORDN 8))) => I__ad_in I R_ctrO_in) in 
let new_R_ctrO_mux_sel = (r„cir_wi01B V ((ELEMENT new Jigger (16)) A R_ctrl_cry)) in 
let new_R_ctrO_irden = (r_readB A (r_reg_sel * (WORDN 8))) in 
let new_R_ctrO = ( (R_ctrO_mux_sel) => R_ctrO_in I R_ctrO_oew) in 
let new_R_ctrO_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_ctiO) I R_ctrO) in 
let new^R^ctiO.cry = ((ONES 31 R_ctrO) A (ELEMENT new_R_gcr (19))) in 
let new_R_ctrO_out = ((r_fsm_cntlatch) => R_ctrO_new I R_ctiO_out) in 
let new_R_ctrO_orden = (r_readB A (r_reg_sel = (WORDN 12))) in 
let new_R_ctrl_in = ((r_writeB A (r_reg_sel = (WORDN 9))) => I_ad_in I R_ctrl_in) in 
let new_R_c tr 1 _mux_sel = (r_cir_wi01B V ((ELEMENT new_R_gcr (16)) A R_ctrl„cry)) in 
let new_R_ctrl_irdeo = (r_readB A (r_reg_sel = (WORDN 9))) in 
let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in I R_ctrl_new) in 
let new_R_ctrl_new = ((R_ctr0_cry) => (INCN 31 R_ctrl) I R_ctrl) in 
let new_R_ctrl_cry = ((ONES 31 R_ctrl) A R_ctrO_cry) in 
let new_R_ctrl_out = ((R_cntlateh_del) => R_ctrl_new I R_ctrl_out) in 
let new_R_ctr l_orden = (r_readB A (r_reg_sel = (WORDN 13))) in 
let new_R_ctr2_in = ((r_writeB A (r_reg_aei = (WORDN 10))) => I_ad_in I R_ctr2_in) in 
let new_R_ctr2_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) A R_ctr3_ciy))) in 
let new_R_ctr2_irden = (r_readB A (r_reg_sel = (WORDN 10))) in 
let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in I R_ctr2_new) in 
let new_R_ctr2_new * (((ELEMENT new_R_gcr (23))) => (INCN 31 R_ctr2) I R_ctr2) in 
let new_R_ctr2_cry = ((ONES 31 R_ctr2) A (ELEMENT new_R_gcr (23))) in 
let new_R_ctr2_out = ((r_fsm_cntlatch) => R_ctr2_new I R_ctr2_out) in 
let new_R_ctr2_orden = (r_readB A (r_reg_sel = (WORDN 14))) in 
let new_R_ctr3_in = ((r_wnteB A (r_reg_sel = (WORDN 11))) => I_ad_in I R_ctr3_in) in 
let new_R_ctr3_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) A R_ctr3_cry))) in 
let new_R_ctr3_irden = (r_readB A (r_reg_sel = (WORDN 11))) in 
let new_R_ctr3 = ((R_ctr3_mux_sel) => R_ctr3_in I R_ctr3_new) in 
let new_R_ctr3_new = ((R_ctr2_cry) => (INCN 31 R_ctr3) I R_ctr3) in 
let new_R_ctr3_cry = ((ONES 31 R_ctr3) A R_ctr3_cry) in 
let new_R_ctr3_out = ((R_cndatch_del) => R_ctr3_new I R_ctr3_out) in 
let new_R_ctr3_orden = (r_readB A (r_reg_sel = (WORDN 15))) in 

let new_R_icr_load - (r_writeB A ((r _jeg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let new_R_icr_old = 

((r_writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => R_icr I R_icr_old) in 
let new_R_icr_mask = 
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((r.writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => I_ad_in I R Jcr_mask) in 
let new_R_icr = 

((R JcrJoad) => . 

((-(r_rcg_sel = (WORDN 1))) => (Andn rep (R_icr_old, R_icr_mask)) I (Ora rep (R_icr_old, R_icr_mask))) 

R_ici) in 

let new_R_icr_rden = ((new_R_fsm_state = RA) A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let sr28 = (ALTER ARBN (28) MB_parity) in 
let sr28_25 = (MALTER sr28 (27,25) C_ss) in 
let sr28_24 = (ALTER st28_25 (24) CB_parity) in 
let sr28_22 = (MALTER sr28_24 (23,22) ChannellD) in 
let sr28_16 = (MALTER sr28_22 (21,16) Id) in 
let sr28_12 = (MALTER si28_16 (15,12) S_state) in 
let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in 
let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in 
let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in 
let sr28_0 = (MALTER sr28_2 (1,0) Cpujail) in 
let oew_R_sr = (( r_f sm_cntlatch ) => sr28_0 1 R_sr) in 
let new_R_sr_rden = (r_readB A (r_reg_sel = (WORDN 4))) in 
let r_intO_en = (((ELEMENT RJcr (0)) A (ELEMENT R_icr (8))) V 
((ELEMENT R_icr ( 1 )) A (ELEMENT RJcr (9))) V 
((ELEMENT RJcr (2)) A (ELEMENT RJcr (10))) V 
((ELEMENT RJcr (3)) A (ELEMENT RJcr (11))) V 
((ELEMENT RJcr (4)) A (ELEMENT RJcr (12))) V 
((ELEMENT RJcr (5)) A (ELEMENT RJcr (13))) V 
((ELEMENT RJcr (6)) A (ELEMENT RJcr (14))) V 
((ELEMENT RJct (7)) A (ELEMENT RJcr (15)))) in 
let new_R_intO_dis = r_intO_en in 

let rjnt3_en = (((ELEMENT RJcr (16)) A (ELEMENT RJct (24))) V 
((ELEMENT RJcr ( 17)) A (ELEMENT RJcr (25))) V 
((ELEMENT RJcr (18)) A (ELEMENT RJcr (26))) V 
((ELEMENT RJct ( 19)) A (ELEMENT RJcr (27))) V 
((ELEMENT RJcr (20)) A (ELEMENT RJcr (28))) V 
((ELEMENT RJcr (21)) A (ELEMENT RJcr (29))) V 
((ELEMENT RJcr (22)) A (ELEMENT RJcr (30))) V 
((ELEMENT RJcr (23)) A (ELEMENT RJcr (31)))) in 
let new_R Jnt3_dis = r Jnt3_en in 
let new_R_busA_latch = 

((R_ctrO_irden) => R_ctiOJn I 
((R_ctrO_orden) => R_ctrO_out I 
((R_ctrl Jrden) => R_ctrl_in I 
((R_ctrl_orden) => R_ctrl_out I 
((R_ctr2 Jrden) => R_ctr2_in I 
((R_ctr2_orden) => R_ctr2_out I 
((R_ctr3Jrden) => R_ctr3Jn I 
((R_ctr3_orden) => R_ctr3_out I 
((R Jcr_rden) => new_R Jcr I 
((R_ccT_rden) => R_ccr I 
((R _gcr_rden) => R_gcr I 
((R_sr_rden) => R_sr I ARB)))))))))))) in 
let new_R_fsm_ale_ = I_rale_ in 
let new_R_fsm_mrdy_ = I_mrdy_ in 
let new_R_fsni_last_ = I Jast_ in 
let new_R_fsm_rst = Rst in 
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(new_R_fsm_state, new_R_fsm_ale_, new_R_fsm jmrdy_, new_R_fsm_last_, new_R_fsm_rst, new_R_ctrO_in, 
new_R_ctrt)_mux_sel, new_R_cti€, new_R_ctiO_irden , new_R_ctrO_new, new_R.ctrO_cry, new_R_ctrO_out, 
new_R_ctiO_orden, new_R_ctrl_in, new_R_ctrl_mux_sel, new_R_ctrl, oew_R_ctr 1 _irden , new.R.ctr 1 .new, 
new_R_ctrl_cry, 

new_R_ctrl_out, ne w_R_ctr 1 _orden p new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_cti2 l new_R_ctr2_irden, 
new_R_ctr2_new, 

new_R_ctr2_cry, new_R_ctx2_out, ne w_R_ctr2_orden , new_R_ctr3_in, new_R_ctr3_mux_sel , new_R_ctr3 , 
oew_R_ctr3_irden , 

new JR_ctr3 _new, new_R_ctr3_cry, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_Ioad, new_R_icr_old, 
new_R_icr_mask, 

new_R_icr_rden , new_R_icr, new_R_ccr, new_R_ccr_r den , new_R_gcr, new_R_gcr_rdeo, new.R.sr, new_R_sr_rden, 
new_R_in tO.dis , new_R_int3_dis, ne w.R.cO 1 _cout_del, new_R.intl.en, new.R_c23_cout.del, new_R_int2_en, 
new_R_wr, 

new.R.cntlatch.del, new_R_srdy_del_, new_R.reg.sel, new.R.busA.latch)" 

);; 


% 

Output definition for EXEC instruction. 


let rEXEC.out.def = new_definition 
( 4 rEXEC_out\ 

“I (rep i^ep.ty) 

(R.fsm.state :rfsm_ty) 

(R.ctiO.in R_ctrO R_ctK)_new R.ctrO.out R.ctrl.in R.ctrl R_ctrl_new R_ctrl_out R_ctr2_in R_ctr2 R_ctr2_new 
R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R.icr.old R.icr.mask R.icr R_ccr R_gcr R.sr R_reg_sel 
R.busAJatch :wordn) 

(R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm _rst R_ctrO_mux_sel R_ctrO_irden R.ctrO.cry R_ctiO_onien 
R_ctrl.mux_.sel 

R_ctrl_irden R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel 
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R.icr _/den R_ccr_iden R_gcr_rden R.sr.rden R_intO_dis 
R_int3_dis R.cOl _cout.de 1 R_intl_en R_c23_cout_del R_int2_en R_wr R.cntlatch.del R_srdy_del_ :bool) 

(I.ad.in I_be_ Cpu.fail Reset_cpu S.state Id CbannellD C_ss :wordn) 

(ClkA Rst I_rale_ I.last. I.mrdy. Disable.int Disable.writes Piu.fail Pmm.fail CB_parity MB_parity :bool) . 
rEXEC_out rep 

(R_fsm_state, R.fsm.ale., R.fsm _mrdy_, R.fsm.last., R.fsm.rst, R.ctrO _in, R_ctrO.mux.sel, R.ctrO, 
R.ctrO.irden, R.ctiO.new, R.ctrO.cry, R.ctiO.out, R_ctrO_orden, R_ctrl_in, R.ctrl.mux.sel, 

R_ctrl, R.ctrl .irden, R.ctrl .new, R.ctrl .cry, R.ctrl .out, R.ctrl .orden, R_ctr2_in, R_ctr2_mux_sel, 
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, 
R_ctr3, R_ctr3 .irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R.icr.old, 
R_icr_mask, R_icr_rden, R_icr, R.ccr, R.ccr.rden, R_gcr, R_gcr_rden, R.sr, R.sr.rden, R.intO.dis, 
R_int3_dis, R.cOl .cout.del, R.intl.en, R_c23_cout_del, R_int2_en, R.wr, R.cntlatch.del, R_srdy_del_, 
R_reg_sel, R_busA_latch) 

(ClkA, Rst, I_ad_in, I_rale_, I.last., I_be_, I.mrdy., Disable.int, Disable. writes, 

Cpu.fail, Reset.cpu, Piu.fail, Pmm.fail, S.state, Id, ChannellD, CB_parity, MB .parity, C_ss) = 

let new_R_fsm_state = 

((R_fsm_rst) => RI ! 

((R.fsm.state = RI) => ((~R.fsm.ale_) => RA I RI) I 
((R_fsm_state = RA) => ((~R_fsm_mrdy_) => RD I RA) I 
((-R.fsm.lastJ => RI I RA)))) in 
let r_fsm_cndatch = ((R.fsm.state = RI) A ~R.fsm.ale_) in 
let r_fsm_srdy_ = -((R.fsm.state = RA) A -R.fsm.mrdy.) in 
let new.R.wr = ((-I.rale.) => (ELEMENT I.ad.in (27)) I R.wr) in 
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let new_R_cotlateh_del = r_fsm_cntlatch in 
let new_R_srdy_del_ = r_fsm_sidy_ in 
let new_R_reg_sel = 

((~I_rale_) => (SUBARRAY I_ad_in (3,0)) I 
((-R_srdy_del_) => (INCN 3 R_reg_sel) I R_reg_sel)) in 
let r_reg_sel = ((~R_srdy_del J => (INCN 3 R_reg_sel) I R_reg_sel) in 
let r_writeA = (-Disable_writes A R_wr A (new_R_fsm_state = RD)) in 
let r_writeB = (-Disable_writes A new_R_wr A (new_R_fsm_state = RD)) in 
let r_readA = (-R_wr A (new_R_fsm_state = RA)) in 
let r_readB = (-new_R_wr A (new_R_fsm_state = RA)) in 

let r_cir_wi01A = ((r.writeA A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in 

let rIcir_wi01B = ((r_writeB A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in 

let r_cir wr23A = ((r_writeA A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in 

let r_cir_wi23B = ((r.writeB A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in 

let newj*_ccr = ((r.writeB A (r_reg_sel = (WORDN 3))) => I_ad_in I R_ccr) in 

let new_R_ccr_rden = (r_readB A (r_reg_sel = (WORDN 3))) in 

let new R gcr = ((r_writeB A (r_reg_sel = (WORDN 2))) => I_ad_in I R_gcr) in 

let new_R_gcr_rden = (r_readB A (r_reg_sel = (WORDN 2))) in 

let new_R_c01 _cout_del = R_ctil_cry in 

let Dew_R_intl_en = 

((((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
-(-(ELEMENT new_R_*cr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => T I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cty A (ELEMENT new_R_gcr (16))))) A 
(-(ELEMENT new_R_*cr (18)) V ((ELEMENT new_R_gcr (17)) AR_c01_cout_del))) => F I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctr l_cry A (ELEMENT new_R_gcr (16))))) A 
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => R_intl_en I ARB))) in 
let new_R_c23_cout_del = R_ctr3_cry in 
let new_R_int2__en = 

((((ELEMENT new_R_gcr (22)) A (r„cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => T I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) AR_c23_cout_del))) => F I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => R_int2_en I ARB))) in 
let new_R_ctiO_in = ((r_writeB A (r_reg_sel = (WORDN 8))) => I_ad_in I R_ctrO_in) in 
let new_R_ctrO_mux_sel = (r_cir_wr01B V ((ELEMENT new_R_gcr (16)) A R_ctrl_cry)) in 
let new_R_ctrO_irden = (rreadB A (r_reg_sel = (WORDN 8))) in 
let new_R_ctrO = ((R_ctrO_mux_sel) => R_ctiO_in I R_ctiO_new) in 
let new_R_ctrO_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_cttO) I R.ctiO) in 
let new_R_ctrO_cry = ((ONES 31 R_ctiO) A (ELEMENT new_R_gcr (19))) in 
let new_R_ctrO_out = ((r_fsm_cntlateh) => R_ctrO_new 1 R_ctiO_out) in 
let new_R_cttO_orden = (r_readB A (r_reg_sel = (WORDN 12))) in 
let new_R_ctrl_in = ((r.writeB A (r_reg_sel = (WORDN 9))) => I_ad_in I R_ctrl_in) in 
let new_R_ctrl_mux_sel = (r_cir_wi01B V ((ELEMENT new_R_gcr (16)) A R_ctrl_cry)) in 
let new_R_ctrl_iiden = (r_readB A (r_reg_sel = (WORDN 9))) in 
let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in I R_ctrl_new) in 
let new_R_ctrl_new = ((R_ctrO_cry) => (INCN 31 R_ctrl) I R_ctrl) in 
let new_R_ctrl_cry = ((ONES 31 R_ctrl) A R_ctiO_cry) in 
let new_R_ctrl_out = ((R_cntlatch_del) => R_ctrl_new I R_ctrl_out) in 
let new_R_ctrl_orden = (r_readB A (r_reg_sel = (WORDN 13))) in 
let new_R_ctr2_in = ((r.writeB A (r_reg_sel = (WORDN 10))) => I_ad_in I R_ctr2_in) in 
let new_R_ctr2_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) A R_ctr3_cry))) in 
let new_R_ctr2_irden = (r_readB A (r_reg_sel = (WORDN 10))) in 
let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in I R_ctr2_new) in 
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let new_R_ctr2_Dew = (((ELEMENT oew_R_gcr (23))) => (INCN 31 R_ctr2) I R_ctr2) in 

let new_R_ctr2_cry = ((ONES 31 R_ctr2) A (ELEMENT new_R_gcr (23))) in 

let new_R_ctr2_out = ((r_fsm_cn Hatch) => R_ctr2_new I R_ctr2_out) in 

let new_R_ctr2_orden = (r_readB A (r_reg_sel = (WORDN 14))) in 

let new_R_ctr3_in = ((r_writeB A (r_reg_sel = (WORDN 11))) => I_adjn I R_ctr3Jn) in 

let new_R_ctr3_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) A R_ctr3_cry))) in 

let new_R_ctr3_irden = (r_readB A (r_reg_sel = (WORDN 11))) in 

let new_R_ctr3 = ((R_ctr3_mux_sel) => R_ctr3 Jn I R_ctr3_new) in 

let new_R_ctr3_new - ((R_ctr2_cry) => (INCN 31 R_ctr3) ! R_ctr3) in 

let new_R_ctr3_cry = ((ONES 31 R_ctr3) A R_ctr3_cry) in 

let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new I R_ctr3_out) in 

let new_R_ctr3_orden = (r_readB A (r_reg_sel = (WORDN 15))) in 

let new_R_icr_load = (r_writeB A ((r _reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let new_R_icr_old = 

((r_writeB A ((r.reg^sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => RJcr I RJcr.old) in 
let new_R_icr_mask = 

((r_writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => I_ad_in I R_icr_mask) in 
let new_R_icr = 

((RJcr Jo ad) => 

((-(r_reg_sel = (WORDN 1))) => (Andn rep (R_icr_old, R_icr_mask)) I (Ora rep (R Jcr_old, R_icr_mask))) I 
RJcr) in 

let new_R_icr_rden = (( new_R_fsm_state = RA) A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let sr28 = (ALTER ARBN (28) MB .parity) in 
let sr28.25 = (M ALTER sr28 (27,25) C_ss) in 
let sr28_24 = (ALTER $r28_25 (24) CB^parity) in 
let sr28_22 = (M ALTER sr28_24 (23,22) ChannellD) in 
let sr28_16 = (MALTER sr28_22 (21,16) Id) in 
let sr28_12 = (MALTER si28_16 (15,12) S_state) in 
let sr28_9 = (ALTER sr28_12 (9) Pmmjail) in 
let sr28_8 = (ALTER sr28_9 (8) Piujail) in 
let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in 
let sr28_0 = (MALTER sr28_2 (1,0) Cpujail) in 
let new_R_sr = ((rjsm_cntlatch) => sr28_0 1 R_sr) in 
let new_R_sr_rden = (r_readB A (r_ieg_sel = (WORDN 4))) in 
let r_intO_en = (((ELEMENT RJcr (0)) A (ELEMENT RJcr (8))) V 
((ELEMENT RJcr (1)) A (ELEMENT RJcr (9))) V 
((ELEMENT RJcr (2)) A (ELEMENT RJcr (10))) V 
((ELEMENT RJcr (3)) A (ELEMENT RJcr (11))) V 
((ELEMENT RJcr (4)) A (ELEMENT RJcr (12))) V 
((ELEMENT RJcr (5)) A (ELEMENT RJcr (13))) V 
((ELEMENT RJcr (6)) A (ELEMENT RJcr (14))) V 
((ELEMENT RJcr (7)) A (ELEMENT RJcr (15)))) in 
let new_R_intO_dis = r_intO_en in 

let rjnt3_en = (((ELEMENT RJcr (16)) A (ELEMENT RJcr (24))) V 
((ELEMENT RJcr (17)) A (ELEMENT RJcr (25))) V 
((ELEMENT RJcr (18)) A (ELEMENT RJcr (26))) V 
((ELEMENT RJcr (19)) A (ELEMENT RJcr (27))) V 
((ELEMENT RJcr (20)) A (ELEMENT RJcr (28))) V 
((ELEMENT RJcr (21)) A (ELEMENT RJcr (29))) V 
{(ELEMENT RJcr (22)) A (ELEMENT RJcr (30))) V 
((ELEMENT RJcr (23)) A (ELEMENT RJcr (31)))) in 
let new_R_int3_dis = r_int3_en in 
let new_R_busA Jatch = 

((R_ctr0_irden) => R_ctrO_in I 
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((R_cti€_orden) => R_ctrO_out I 
((R_ctrl_irden) => R_ctrl_in I 
((R_ctrl_orden) => R_ctrl_out I 
((R_ctr2_irden) => R_ctr2_in I 
((R_ctr2_orden) => R_ctr2_out I 
((R_ctr3_irden) => R_ctr3_m I 
((R_ctr3_orden) => R_ctr3_out I 
((R_icr_rden) => new_R_icr I 
((R_ccr_rden) => R_ccr I 
((R_gcr_rden) => R_gcr I 
((R_sr_rden) => Rjr I ARB)))))))))))) in 
let oew_R_fsm_ale_ = I_rale_ in 
let new_R_fsm_mrdy_ = I_mrdy_ in 
let new_R_fsm_last_ = I_last_ in 
let new_R_fsm_rst = Rst in 

let I_ad_out = ((-R_wr A ((new_R_fsm_state = RA) V (new_R_fsm_state = RD))) => new_R_busA_latch I ARBN) in 
let I_srdy_ * 

(((new_R_fsm_state = RA) V (new_R_fsm_state = RD)) => ~((R_fsm_state = RA) A (new_R_fsm_state = RD)) I 

ARB) in 

let IntO_ = ~(r_intO_en A ~R_intO_dis A ~Disable_int) in 
let Inti = (R_ctrl_cry A new_R_intl_en A ~Disable_int) in 
let Int2 = (R_ctr3_cry A new_R_int2_en A -Disable.int) in 
let Int3_ = ~(r_int3_en A ~R_int3_dis A -Disablejnt) in 
let Ccr = R_ccr in 

let Led = (SUB ARRAY new_R_gcr (3,0)) in 

let Reset_error = (ELEMENT new_R_gcr (24)) in 

let Pmm_in valid = (ELEMENT oew_R_gcr (28)) in 

(I_ad_out, I„srdy_, IntO_, Inti, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalidr 

);; 
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D.4 C Port Specification 


File: c_clockl.ml 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the clock-level specification of the C-Port of the FTEP PIU, 
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M-language simulation program using a translator 
written by P.J. Windley at the University of Idaho. 


-% 


set_search_path (search_path() @ l‘/home/titan3/dfura/ftep/piu/hol/lib/‘]);; 
system 4 rm c_clockl .th 4 ;; 
new_theory 4 c_clockr;; 
loadf 'abstract 4 ;; 


map new_parent [ 4 caux_def‘ ; 4 aux_def 4 ; 4 array_def 4 ; 4 wordn_def 4 ] ; ; 

let MSTART = “WORDN 4”;; 
let MEND = 44 WORDN 5”;; 
let MRDY = “WORDN 6”;; 
let MWAIT = “WORDN 7”;; 
let MABORT = ‘WORDN CT ;; 

let SACK = “WORDN 5”;; 
let SRDY = 'WORDN 6”;; 
let SWAIT = “WORDN 7”;; 
let SABORT = “WORDN 0”;; 


let cc_state_ty = “:(cmfsm_ty#bool#bool#bool#bool#wordn#bool# 
csfsm_ty#bool#bool#bool#wordn# 
cefsm_ty#bool#bool#bool#bool#bool#bool# 
bool#wordn#bool#bool#bool#wordn#bool# 
bool#bool#bool#bool#bool#bool#bool# 

bool#bool#bool#wordn#wordn#wordn#wordD#wordn#wordn)”;; 
let cc_state = u ((C_mfsm_state,C_mfsm_D 1 C_mfsm_rstC_mfsm_crqt_,C_mfsm_hold_,C _jnfsm_ss,C_mfsm_invalid, 
C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ins, 

C_efsm_state,C_efsm_cale_,C_efsm_last_,C_efsm_male_,C_efsm_rale_ J C_efsm_srdy_,C_efsm_rst, 

C_wr,C_sizewrbe > C_clkA,C_last_m_,C_lock_m_,C_ss,C_last_out_, 

C_ho ld_ ,C_hoLd A_, C_co ut_0 J e_del , C_c in_2_l e ,C ^mrdy_del_ 1 C_iad_en_s_del,C_iad_en_s_delA , 
C_wrdy,C_rrdy,C_parity,C_source l C_data_m,C_iad_out,C_iad_in,C_ala0,C_a3a2) 

: A cc_state_ty)’’;; 


let cc_env_ty = “:(wordn#wordn#bool#bool#bool#bool#bool#bool#bool#booi#bool# 
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wordn#wordD#wordn#wordn#bool#bool#bool#bool#wordD#wordD#bool#bool#wordn#bool)”;; 

let cc_env = “((I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I.male.in., I.last.in., I.srdy.in., 

I_lock_, I_cale_, I_hlda_, I_crqt_, 

CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_m, 

Rst, ClkA, ClkB, ClkD, Id, ChannellD, Pmm.failure, Piu.invalid, Ccr, 

Reset_eiror) 

: A cc_env_ty)”;; 

let cc_out_ty = ‘^(bool#bool#bool#bool#bool#bool#bcx)l#wordn#wordn# 
bool#wordD#wordn#wordD#wordn#bool#bool) M ;; 

let cc.out = “((L.cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, Lmale_out_, IJast_out_, I_srdy_out_, 

I_ad_out, I_be_out_, 

CB_rqt_out_, CB.ms.out, CB_ss_out, CB.ad.out, C_ss_out, Disable.writes, CB^parity) 
: A cc_out_ty)”;; 

let rep.ty = abstract_type *aux_def ‘Andn 4 ;; 


% 

Next-state definition for EXEC instruction. 


% 


let cEXEC_inst_def = new_definition 
(‘cEXEC_inst\ 

“I (rep: A rep_ty) 

(C_mfsm_state:cmfsm_ty) (C_sfsm__state:csfsmjy) (C_efsm_state:cefsm__ty ) 

(C_mfsm_ss C.sfsm.ms C_sizewrbe C_ss C_source C_data_in C_iad_out C.iad.in C_alaO C_a3a2 : wordn) 
(C.mfsm J) C.mfsm.rst C_mfsm_crqt_ C_mfsm_hold_ C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ 
C_efsm_cale_ C_efsm_last_ C.efsm.male. C_efsm_rale_ C.efsm.srdy. C_efsm_rst 
C_wr C clkA C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_holdA_ C_cout_0_le_del C_cin_2_le 
C_mrdy del_ C_iad_en_s_del C.iad.en.s.delA C_wrdy C_rrdy C_parity :bool) 

(I.ad.inl.be.m. CB_rqt_in_ CB.ad.in CB_ms_in CB.ss.in Id ChannellD Ccr :wordn) 

(I_mrdy_in_ l_rale_in_ I_male_in_ I_last _in_ l_srdy_in_ I _lock_ I.cale. I.hlda. I.crqt. 

Rst ClkA ClkB ClkD Pmm.failure Piu.invalid Reset.error :bool) . 


cEXEC.inst rep 

(C_mfsm_state, C_mfsm__D 


, C.mfsm.rst, C.mfsm.crqt., C.mfsm.hold., C.mfsm.ss, C.mfsm.invalid, 


C.sfsm.state, C.sfsm.D, C.sfsm.rst, C.sfsm.hlda^ C.sfsmjns, 

C.efsm.state, C.efsm.cale., C.efsm.last., C.efsm.male., C.efsm.rale., C.efsm.srdy., C.efsm.rst, 
C_wr, C.sizewrbe, C.clkA, C.last.in., C.lock.in., C.ss, C .last.out., 

C.hold., C.holdA., C.cout.OJe.del, C_cin_2_le, Cjnrdy.del., C_iad.en_s.del, C_iad.en_s.delA, 
C.wrdy, C.rrdy, C_parity, C.source, C.data.in, C.iad.out, C.iad.in, C_alaO,C_a3a2) 

(I.ad.in, I.be.in., I.mrdy.in., I.rale.in., Ijmale.in., I.last.in., I.srdy.in., 

I.lock., I.cale., I.hlda., I.crqt., CB.rqt.m_, CB.ad.in, CB.ms.in, CB.ss.in, 

Rst, ClkA, ClkB, ClkD, Id, ChannellD, Pmm.failure, Piu.invalid, Ccr, Reset.error) = 


let c.write = ((( -(C.mfsm.state = CMI» A (-(C.mfsm.state = CMR))) => C.wr I (ELEMENT C.sizewrbe (5))) in 

let c.busy = (-((SUBARRAY CB.rqt.in. (3,1)) = (WORDN 7))) in 

let c_grant = ((((SUB ARRAY Id ( 1 ,0)) = (WORDN 0)) A -(ELEMENT CB jqt.in. (0))) 

V (((SUB ARRAY Id ( 1 ,0)) = (WORDN 1 )) A -(ELEMENT CB.rqt.in. (0)) 

A (ELEMENT CB.rqt.in. (1))) 

V (((SUB ARRAY Id (1 ,0)) = (WORDN 2)) A -(ELEMENT CB.rqt.in. (0)) 

A (ELEMENT CBjqt.in. (1)) 

A (ELEMENT CB.rqt.in. (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB.rqt.in. (0)) 

A (ELEMENT CB.rqt.in. (1)) 


199 


A (ELEMENT CB_rqtJn_ (2)) 

A (ELEMENT CB_rqt_in_ (3)))) in 
let c_addressed = (Id = (SUB ARRAY C_source (15,10))) in 
let c_mfsm_stateA = 

((C_mfsm_rst) => CMI I 
((C_mfsm_state = CMI) => 

(C_mfsm_D A ~Cjnfsm_ciqt_ A ~c_busy A ~C_mfsm_in valid) => CMR I CMI I 
((C_mfsm_state = CMR) => (C_mfsm_D A c _grant A C_mfsm_hold_) => CMA3 I CMR I 
((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 I CMA3) I 
((C_mfsm_state = CMA1) => 

(C_mfsm_D A (Cjnfsm.ss = A SRDY)) => CMAO I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMA1 I 
((C_mfsm_state = CMAO) => 

(Cjnfsm.D A (C_mfsm_ss = A SRDY)) => CMA2 1 
(C_mfsm_D A (C jnfsm^ss = A S ABORT)) => CMABT I CMAO I 
((C_mfsm_state = CM A2) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CMD1 I 
(Cjnfsm__D A (C_mfsm_ss = A S ABORT)) => CMABT I CMA2 I 
((C_mfsm_state = CMD1 ) => 

(C_mfsm_D A (C_mfsm_ss = A SRDY)) => CM DO I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMD1 1 
((C_mfsm_state = CM EX)) => 

(C_ J mfsmJD A (C_mfsm_ss m A SRDY) A C_last_in_) => CMD1 I 
(C_mfsm_D A (C_mfsm_ss = A SRDY) A ~C_last_in_) => CMW I 
(CjnfsmJD A (C jnfsm_ss = A S ABORT)) => CMABT I CMDO I 
((C_mfsm_state = CMW) => 

(C_mfsm„D A (C_mfsm_ss = A S ABORT)) => CMABT I 
(C_mfsm_D A (C_mfsm_ss = A S ACK) A C_lock_inJ => CMI I 

(C_jnfsm_D A (C^nfsm_ss = A SRDY) A -CJock_in_ A -C.mfsm.crqtJ => CMA3 I CMW I 
((-C JastJn J => CMI I CMABT))))))))))) in 
let c_sfsm_stateA = 

((C_sfsm_rst) => CSI I 

(C_sfsm_state = CSI) => 

((C_sfsm_D A (C_sfsm__ms = A MSTART) A ~c_grant A c_addressed) => CSA1 I CSI) I 
(C_sfsm_state = CSL) => 

((C_sfsm_D A (C_sfsm_ms = A M START) A ~c _grant A c_addressed) => CSA1 I 
(C_sfsm_D A (C_sfsm_ms = A M START) A ~c _grant A ~c_ad dressed) => CSI I 
(C_sfsmJ) A (C_sfsm_ms = A MABORT)) => CSABT I CSL) I 
(C_sfsm_state = CSA1) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSAO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSA1) I 
(C_sfsm_state = CSAO) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsmJilda_) => CSALE I 
(C_sfsm_D A (C_sfanjns = A MRDY) A C_sfsm_hlda_) => CS AOW I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAO) I 
(C_sfsm_state = CSAOW) => 

((C_sfsm_D A (C_sfsm_ms * A MRDY) A -C_sfsm _hlda_) => CSALE I 
(C_sfsm_D A (C_sfsmjns = A MABORT)) => CSABT I CSAOW) I 
(C_sfsm_state = CSALE) => 

((C_sfsm_D A c_write A (C_sfsm _ms = A MRDY)) => CSD1 I 
(C_sfsm_D A ~c_write A (C_sfsm_ms * A MRDY)) => CSRR I 
(C_sfsm_D A (C_sfsm_ms > A M ABORT)) => CSABT I CSALE) I 
(C_sfsm_state = CSRR) => 

((C_sfsm_D A ~(C_sfsm_m s = A M ABORT)) => CSD1 I 
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(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSRR) I 
(C_sfsm_state = CSD1 ) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSDO I 
(C_sfsm_D A (C_sfsmjns = A MABORT)) => CSABT 1 CSD1) I 
(C_sfsm_state = CSDO) => 

((C_sfsm_D A (C_sfsm_ms = A MEND)) => CSACK I 
(C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm„D A (C_sfsm_ms = A MABORT» => CSABT I CSDO) I 
(C_sfsm_state = CSACK) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSL I 
(C_sfsm_D A (C_sfsm_ms = A MWAIT)) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSACK) I 
(C_sfsm_D) => CSI I CSABT) in 

let c_efsm_stateA = 

((C_efsm_rst) => CEI I 

(C_efsm_state = CEI) => ((~C_efsm_cale_) => CEE I CEI) I 

(( ~C_ef sm_last_ A -C_efsm_srdy_) V ~C_efsm_male_ V ~C_efsm_rale_) => CEI I CEE) in 
let c_srdy_en = ( (c_ef sm_state A = CEE) V (C_efsm_state = CEE)) in 
let couLselO = (ALTER ARBN (0) (((c_sfsm_stateA * CSD1) V (c_sfsm_stateA = CSDO)) => 

(c_sfsm_stateA *= CSD1) l 

(c_mfsm_stateA = CM A3) V (c_mfsm_stateA = CMA1) 

V (c_mfsm_stateA = CMD1))) in 

let cout_sellO = (ALTER cout.selO (1) (((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSDO)) => 

FI 

(c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA2))) in 

let c_cout_sel = cout_sellO in 

let new_C_wr = ((~I_cale_) => (ELEMENT I_ad_in (27)) I C_wr) in 

let new_C_s izewrbe = ((Rst) => (WORDN 0) I 

( ((c_sfsm_stateA = CSAO) A C.clkA) => (SUBARRAY C_datajn (31,22)) I C_sizewrbe)) in 

let c_new_write = (((— (c _jnfsin_stateA = CMI)) A (-(c_mfsin_stateA = CMR))) => 
new_C_wr I (ELEMENT new _C_s izewrbe (5))) in 
let new_C_clkA = ClkD in 
let new_C_last_m_ = ((Rst) => F I 

( (( c_mf sm_s tate A = CMABT) V (c_mfsm_stateA = CMD1) A ClkD) => I Jast_in_ I 
C_last_in_)) in 

let new_C_lock_in_ » ((Rst) => F I 

((c_mfsm_stateA = CMA1) => I_lock_ I 
C_lock_in_)) in 

let new_C_ss = (((-(c_mfsm_stateA = CMABT)) A (~(c_mfsm_stateA = CMI))) => CB_ss_in I C_ss) in 
let c_jnend = (CB_ms_in = A MEND) in 
let c_mabort = (CB_ms_in = A M ABORT) in 
let new_C_last_out_ = 

((( c _sfsm_stateA = CSA1) A -(ClkD A (c_meod V c_mabort))) => T I 
((-(c_sfsm_stateA = CS A1 ) A (ClkD A (cjnend V c_mabort))) => F I 
((~(c_sfsm_stateA = CSA1) A -(ClkD A (c_mend V c_mabort))) => CJast_out_ I ARB))) in 
let c_srdy = (CB_ss_in = A SRDY) in 

let cldfsm_master = ((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CM Al) 

V (c_mfsm_stateA = CMAO) V (c_mfsm_stateA = CMD1) V (c_mfsm_stateA = CMDO)) in 
let c_dfsm_cad_en = ~((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA1) V (c_mfsm_stateA = CMAO) 

V (c_mfsm_stateA = CMA2) 

V (c_new_write A ((c_mfsm_stateA = CMD1 ) V (c_mfsm_stateA = CMDO))) 

V (~c_new_write A ((c_sfsm_stateA = CSD1 ) V (c_sfsm_stateA = CSDO)))) in 
let new_C_hold_ = (c_sfsm_stateA = CSI) in 
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let new_C_holdA_ = ((ClkD) => C_hold_ I CJioldAJ in 

let ne w_C_cou t_0_ le_de 1 = ((I_cale_) V (I_srdy_in_ A -c_new_write) 

V ((c_mfsm_stateA = CMAO) A c_srdy A c_new_write A ClkD) 

V ((c _mfsm_stateA - CMDO) A c_new_write A c_srdy A ClkD)) in 
let new_C_cin_2_le = (ClkD A (((c _mfsm_stateA = CMDO) A c_srdy A ~c_new_ write) V 

((c_sf&m_stateA = CS AO)) V 
((c_sfsm_stateA = CSDO) A c_new_write))) in 

let new_C_mrdy_del_ = -((~c_new_write A ClkD A ((c_sfsm_stateA = CSALE) V (c_sfsm_stateA = CSD1))) V 
(~c_new_ write A C_clkA A (c_sfsm_stateA = CSACK)) V 
(c_new_write A ClkD A (c_sfsm_stateA = CSDO))) in 
let new_C_iad_en_s_del = (((c_sfsm_stateA = CSALE) A (~(C_sfsm_state = CSALE))) 

V ((c_sfsm_stateA = CSALE) A c_new_write) 

V ((c_sfsm_stateA = CSD1) A c_new_write A (-(C_sf$m_state = CSRR))) 

V ((c_sfsm_stateA = CSDO) A c_new_write) V 
((c_sfsm_stateA = CSACK) A c_new_write)) in 

let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del I C_i ad_en_s_delA ) in 
let new_C_wrdy = (c_srdy A c_new_write A (c_mfsm_stateA = CMD1) A ClkD) in 
let new_C_rrdy = (c_srdy A ~c_new_write A (c _mfsm_stateA = CMDO) A ClkD) in 
let c_pe = (Par_Det rep (CB_ad_in)) in 

let c_m parity = (( c_mfsm_state A = CM A3) V (c __mfsm_stateA * CMA1) V (c_jnfsm_stateA = CMAO) 

V (c_jnfsm_stateA = CM A2) V (c_mfsm_stateA = CMD1) V (c _jnfsm_stateA = CMDO) 

V (C_mfsm_state = CMA1) V (C_mfsm_state = CMAO) V (Qjnfsm_state = CMA2) 

V (C_mfsm_state = CMD1)) in 

let c_sparity = ((~(c_sfsm_stateA = CSI)) A (~(c_sfsm_stateA = CSACK)) A ( -(c_sfsm_stateA = CSABT))) in 
let c_pe_cnt = (ClkD A ((-(c_mparity = c_spanty)) V ((SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in 
let new_C_panty = 

(((ClkD A c_pe A c_pe_cnt) A ~Reset_error) => T I 
((-(ClkD A c_pe A c_pe_cnt) A Reset_error) => F I 
((-(ClkD A c_pe A c_pe_cnt) A -Reset_error) => C ^parity I ARB))) in 
let new_C_source = 

((Rst) => (WORDN 0) I 

((ClkD A ((c_sfsm_stateA = CSI) V (c_sfsm_stateA = CSL))) *=> Par_Dec rep (CB_ad_in) i C_source)) in 
let data_in31_16 = 

(MALTER ARBN (31,16) ((Rst) => (WORDN 0) i 

((ClkD A (((c_mfsm_stateA = CMD1) A c_srdy A -c_new_write) V 
((c_sfsm_stateA = CSA1)) V 

((c_sfsm_stateA = CSD1) A c_new_write))) => Par_Dec rep (CB_ad_in) I 
(SUBARRAY C_data_in (31,16))))) in 

let data_in31_0 = 

(MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) I 

((new_C_cin_2_le) => Par_Dec rep (CB_ad_in) I 
(SUB ARRAY C.datajn (15,0))))) in 

let new_C_data_m = data_in31_0 in 

let new_C_iad_out = ((C_cin_2_le) => C_data_in I C_iad_out) in 
let new_C_iad_in = ((new_C_cout_0_le_del) => I_ad_in I C_iad_in) in 
let new_C_ala0 = 

(((c_df&m_m aster A C_cout_0_le_del) V 

(~c_dfsm_master A C_clkA A (c_sfsm_stateA = CSD1))) => C_iad __in I C_alaO) in 
let new_C_a3a2 = ((c_mfsm_stateA = CMR) => Ccr I C_a3a2) in 
let new_C_mfsm_state = c_mfsm_stateA in 
let new_C_mfsm_D = ClkD in 
let new_C_mfsm_rst = Rst in 
let new_C_mfsm_crqt_ = I_crqt_ in 
let new_C_mf sm_ho ld_ = new_C_holdA_ in 
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let new_C_mfsm_ss = CB_ss_in in 
let new.C.mfsm.invalid = Piu.invalid in 
let new_C_sfsm_state = c_sfsm_stateA in 
let new_C_sfsm_D = ClkD in 
let new_C_sfsm_rst — Rst in 
let new_C_sfsm_hlda_ = I _hlda_ in 
let new.C_sfsm.ms = CB_ms_in in 
let new_C_efsm_cale_ = I_cale_ in 
let new_C_efsm_last_ = l_iast_in_ in 
let new.C_efsm.male. = I.male.in. in 
let new_C_efsm_rale_ = I_rale_in_ in 
let new.C.efsm.srdy. = I_sidy_in_ in 
let new.C_efsm.rst = Rst in 

(C mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_m valid, 
C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_ 
C efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, CJock.m. 
C _ ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, 
CJad_en_ JdelA, C.wrdy, C_rrdy, C_parity, C.source, C_data_in, C_iad_out, C_iad_in, C.alaO, C_a3a2)” 

);; 


% — 

Output definition for EXEC instruction. 


let cEXEC.out.def = new.definition 
( 4 cEXEC_out\ 

M ! (rep:*rep_ty) 

(C mfsm_state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty) 

(C mfsm ss C_sfsm_ms C_sizewrbe C_ss C.source C_data_in C_iad_out C_iad_in C_alaO C_a3a2 :wordn) 
(dmfsmlD C_mfsm_rst C_mfsm_ciqt_ C_mfsm_hold_ C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm _hlda_ 

C efsm_cale C_efsm Jast_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 

clwr C_clkA C_last_in_ C_lock_m_ C_last_out_ C_hold_ C_holdA_ C_cout_0 _le_del C_cin_2 Je 

C_midy_del_ C_iad_en_s_del CJad_en_s_delA C_wrdy C_rrdy C_parity :bool) 

(l_ad_in I_be_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_ss Jn Id ChannellD Ccr :wordn) 

(I mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ 

Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool) . 

cEXEC out rep „ . - . 

(C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C.mfsm_hold_, C_mfsm_ss, C_mfsm_in valid, 

C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfem_hlda_, C_sfsm_ms, 

C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_. C_efsm_rst, 
C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, 

C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, 
C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_alaO,C_a3a2) 

(I_ad_in, I_be_in_, I_midy_in_, l_rale_m_, I_male_in_. I_last_in_. I_srdy_in_, 

I_lock_, I_cale_, l_hlda_, I_ciqt_, CB_iqt_in_, CB_ad_in, CB_ms_in. CB_ss_in, 

Rst, ClkA, ClkB, ClkD, Id, ChannellD, Pmm_failure, Piu_in valid. Ccr, Reset_error) = 

let c_write = (((-(Cjnfsm.state = CMI)) A <-(C_mfs.n_state = CMR))) => C_wr I (ELEMENT C.sizewrbe (5))) in 

let c_busy = (-((SUB ARRAY CB_rqt_in_ (3,1)) = (WORDN 7))) in 

let c_grant = ((((SUBARRAY Id (1 ,0)) = (WORDN 0)) A -(ELEMENT CB_rqt_in_ (0))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB_/qt_in_ (0)) 

A (ELEMENT CB_rqt_in_ (1))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB_rqt_in_ (0)) 
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A (ELEMENT CB_rqt_in_ (1)) 

A (ELEMENT CB_rqt_in_ (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CB_jqt_in_ (1)) 

A (ELEMENT CB _/qt_in_ (2)) 

A (ELEMENT CB_rqt_in_ (3)))) in 
let c_addressed = (Id = (SUBARRAY C_source (15,10))) in 
let c_mfsm_stateA = 

((C_mfsm_rst) => CMI I 
((C_mfsm_state = CMI) => 

(Cjnfsm_D A -C_mf sm_crq t_ A ~c_busy A ~C_mfsm_in valid) => CMR I CMI I 
((C_mfsm_state = CMR) => (Cjnfsm_D A c_grant A C_mfsm_holdJ => CMA3 I CMR I 
((C_mfsm_state = CM A3) => ((C_mfsm_D) => CMA1 1 CMA3) I 
((C_mfsm_state = CMA1) => 

(C jnfsmJJ A (C_jnfsm_ss = A SRDY)) => CMAO I 
(Cjnfsm_D A (Cjnfsm_ss = A SABORT)) => CMABT I CMA1 1 
((C_mfsm_state = CMAO) => 

(C jnfstn_D A (Cjnfsm.ss = A SRDY)) => CM A2 1 
(C jnfsm.D A (Cjnfsm.ss = A S ABORT)) => CMABT I CMAO I 
((C_mfsm_state = CMA2) => 

(C_mfsm_D A (C _mfsm_ss = A SRDY)) => CMD1 1 
(C_mfsm_D A (Cjnfsm^ss = A S ABORT)) => CMABT I CMA2 1 
((C_mfsm_state = CMD1 ) => 

(C_mfsm_D A (Cmfsm.ss = A SRDY)) => CMDO I 
(C_mfsm_D A (C _jnfsm_ss = A SABORT)) => CMABT I CMD1 1 
((C_mfsm_state = CMDO) => 

(C_mfsm_D A (C_p»fsin_ss = A SRDY) A C_last_in_) => CMD1 1 
(C_mfsm_D A (Cjnfem_ss = A SRDY) A -C _last_inj => CMW I 
(C_mfsm_D A (C jnfsm_ss = A S ABORT)) => CMABT I CMDO I 
((C_mfsm_8tate = CMW) => 

(C_mfsm_D A (C.mfsm.ss = A S ABORT)) => CMABT I 
(C_mfsm_D A (C_mfsm_ss = A S ACK) A C_lock_in J => CMI I 

(C_mfsm_D A (C_jnfsm_ss = A SRDY) A -C _lock_in_ A -C_mfsm_crqtJ => CMA3 I CMW I 
((-CJastJnJ => CMI I CMABT))))))))))) in 
let c_sfsm_stateA = 

((C_sfsm_rst) => CSI I 

(C_sfsm_state = CSI) => 

((C_sfsm_D A (C_sfsm_ms = A MSTART) A -c_grant A c.addressed) => CSA1 I CSI) I 
(C_sfsm_state = CSL) => 

((C_sfsm_D A (C_sfsm_ms = A MSTART) A -c _grant A c_addressed) => CSA1 1 
(C_sfsm_D A (C_sfsm_tns = A MSTART) A ~c_grant A -c_addressed) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSL) I 
(C_sfsm_state = CSA1) => 

((C_sfsm_D A (C_8f8m_ms = A MRDY)) => CS AO I 
(C_sfsm_D A (C.sfsmjns = A MABORT)) => CSABT I CSA1) I 
(C_sfsm_state = CSAO) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A -C_sfsm_hlda_) => CS ALE I 
(C_sfsm_D A (C_sfsm jns = A MRDY) A C_sfsm_hlda_) => CS AOW I 
(C_sfsm_D A (C_sfsm jus = A MABORT)) => CSABT I CSAO) I 
(C_sfsm_5tate = CSAOW) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsm_hlda_) => CS ALE I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAOW) I 
(C_sfsm_state = CSALE) => 

((C_sfsm_D A c_write A (C_sfsm_ms = A MRDY)) => CSD1 1 
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(C_sfsm_D A ~c_write A (C_sfsm_ms = A MRDY)) => CSRR I 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CS ALE) I 
(C_sfsm_state = CSRR) => 

((C_sfsm_D A ~(C_sfsm_ms = A M ABORT)) — > CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) — > CSABT I CSRR) I 
(C_sfsm_state = CSD1) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSDO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSD1) I 
(C_sfsm_state = CSDO) => 

((C_sfsm_D A (C_sfsm_ms = A MEND)) => CSACK I 
(C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSDO) I 
(C_sfsm_state = CSACK) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSL I 
(C_sfsm_D A (C_sfsm_ms = A MWATT)) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSACK) I 
(C_sfsm_D) => CSI I CSABT) in 
let c_efsm_stateA = 

((C_efsm_rst) => CEI l 

(C_efsm_state = CEI) => ((~C_efsm_cale_) => CEE I CEI) I 

((-C_efsmjast_ A ~C_efsm_srdy_) V ~C_efsm_male_ V ~C_efsm_raleJ => CEI I CEE) in 
let c_srdy_en — ((c_efsm_sta.teA = CEE) V (C_efsm_state = CEE)) in 

let cout_selO = (ALTER ARBN (0) (((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSDO)) => 

(c_sfsm_stateA = CSD1) I 

(c_mfsm_stateA = CM A3) V (c_mfsm_stateA = CM A1 ) 

V (c_mfsm_stateA = CMD1))) in 
let cout_sellO = (ALTER cout_selO (1) (((c_sfsm_stateA = CSD1) V (c_sfcm_stateA = CSDO)) => 

FI 

(c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA2))) in 

let c_cout_sel = cout_sellO in 

let new_C_wr = (( -locale J => (ELEMENT I_ad_in (27)) I C_wr) in 

let new_C_sizewrbe = ((Rst) => (WORDN 0) I 

(((c_sfsm_stateA = CSAO) A C_clkA) => (SUB ARRAY C.datajn (31,22)) I C.sizewrbe)) in 

let c_new_write = (((~(cjnfsm_stateA = CMI)) A Hc_mfsm_stateA = CMR))) => 
new_C_wr I (ELEMENT new_C_sizewrbe (5))) in 
let new_C_clkA = ClkD in 
let new_CJast_in_ = ((Rst) => F I 

(((c_mfsm_stateA = CMABT) V (c_mfsm_stateA = CMD1) A ClkD) => IJast_in_ I 
C_last_in_)) in 

let new_C_lock_in_ = ((Rst) => F I 

((c_mfsm_stateA = CMA1 ) => I_lock_ I 
C_lock_in_)) in 

let new_C_ss = (((-(c_mfsm_stateA = CMABT)) A (~(c_mfsm_stateA = CMI))) => CB_ss_in I C_ss) in 
let c_mend = (CB_ms _in = A MEND) in 
let c_m abort = (CB_ms_in = A MABORT) in 
let new_C_last_out_ = 

(((c_sfsm_stateA = CSA1) A -(ClkD A (c_mend V c_maboit))) => T I 
((~(c_sfsm_stateA = CSA1) A (ClkD A (cjnend V c_mabort))) => F I 
(( ~(c_s fsm_state A = CSA1) A -(ClkD A (c_mend V c_m abort))) => C_last_out_ I ARB))) in 
let c_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = ((c_mfsm_stateA = CMA3) V (cjnfcm_stateA = CM A2) V (c_mfsm_stateA = CMA1) 

V (c_mfsm_stateA = CM AO) V (c_mfsm_stateA = CMD1) V (c_mfsm_stateA = CM DO)) in 
let c_dfsm_cad_en = ~((c_mfsm_stateA = CM A3) V (c_mfsm_stateA = CMA1) V (c_mfsm_stateA = CMAO) 

V (c_mfsm_stateA — CMA2) 
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V (c_new_write A ((c_mfsm_stateA = CMD1) V (c_mfsm_stateA = CMDO))) 

V (~c_ncw_ write A ((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSDO)))) in 
let new_C_hold_ = (c_sf&m_stateA = CSI) in 

let new_C _holdA_ = ((ClkD) => C_hold_ I C JwldAJ in 

let new_C_cout_0_le_del = ((I_cale_) V (I_srdy_in_ A ~c_new_write) 

V ((c_mfsm_stateA = CMAO) A c_srdy A c_new_write A ClkD) 

V ((c_mfsm_stateA = CMDO) A c_new_write A c_srdy A ClkD)) in 
let new_C_cin_2_le = (ClkD A (((c _mfsm_stateA = CMDO) A c_srdy A -c_new__write) V 

((c_sfsm_stateA = CS AO)) V 
((c_sfsm_stateA = CSDO) A c_new_ write))) in 

let new_C_mrdy_del_ = ~ ( ( ~c_ne w_ wri te A ClkD A ((c_sfsm_stateA = CSALE) V (c_sfsm_stateA = CSD1 ))) V 
(-c_new_ write A C_clkA A (c_sfsm_stateA = CSACK)) V 
(c_new_write A ClkD A (c_sfsm_stateA = CSDO))) in 
let new_C_iad_en_s_del = (((c_sfsm_stateA = CSALE) A (-(C_gfsm_state = CSALE))) 

V ((c_sfsm_stateA = CSALE) A c_new_write) 

V ((c_sfsm_stateA = CSD1) A c_new_write A (-(C_sfsm_state = CSRR))) 

V ((c_sfsm_stateA = CSDO) A c_new_write) V 
((c_sfsm_stateA = CSACK) A c_new_write)) in 

let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del I C_iad_en_s_delA) in 
let new_C_wrdy = (c_srdy A c_new_write A (c_mfsm_stateA = CMD1) A ClkD) in 
let new_C _rrdy = (c_srdy A ~c_new_write A (c_infsm_stateA = CMDO) A ClkD) in 
let c _j>e = (Par_Det rep (CB_ad_in)) in 

let c_mpari ty = ((c _mfsm_stateA = CMA3) V (c _jnfsm_stateA = CMA1) V (c _jnfsm_stateA = CMAO) 

V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMD1 ) V (c_mfsm_stateA = CMDO) 

V (Cjmfsm_state = CMA1) V (C_mfsm_state = CMAO) V (C_jnfsm_state = CMA2) 

V (C_mfsm_state = CMD1)) in 

let c_sparity = ((-(c_sfsm_stateA = CSI)) A (~(c_sfsm_stateA = CSACK)) A (~(c_sfsm_stateA = CSABT))) in 
let c_pe_cnt = (ClkD A ((~(c_mparity = c_sparity)) V ((SUB ARRAY CB_ss_in (1,0)) = (WORDN 0)))) in 
let new_C ^parity = 

(((ClkD A c_pe A c_pe_cnt) A ~Reset_error) => T I 
((-(ClkD A c jpe A c_pe_cnt) A Reset_error) => F I 
((-(ClkD A c_pe A c_pe_cnt) A -Reset_error) => C_parity I ARB))) in 
let new_C_source = 

((Rst) => (WORDN 0) I 

((ClkD A ((c_sfsm_stateA = CSI) V (c_sfsm_stateA * CSL))) => Par_Dec rep (CB_ad_in) I C_source)) in 
let data_in31_16 = 

(MALTER ARBN (31,16) ((Rst) => (WORDN 0) I 

((ClkD A ( ((c_mfsm_s tate A = CMD1) A c_srdy A -c_new_write) V 
((c_sfsm_stateA = CS A1 )) V 

((c_sfsm_stateA = CSD1) A c_new_write))) => Par_Dec rep (CB_ad_in) I 
(SUBARRAY C_data_in (31,16))))) in 

let data_in31_0 = 

(MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) I 

((new_C_cin_2_le) => Par„Dec rep (CB_ad_in) I 
(SUBARRAY C_data_in (15,0))))) in 

let new_C_data_in = data_in31_0 in 

let new_C_iad_out = ((C_cin_2_le) => C_data_in I C_iad_out) in 
let new_C_iad_in = (( ne w_C_co u t_0_le_del) => I_ad_in I C_iad_in) in 
let new_C_ala0 = 

(((c_dfsm_master A C_cout_0_le_del) V 

(~c_dfsm_master A C_clkA A (c_sfsm_stateA = CSD1))) => C_iad_in I CjalaO) in 
let new_C_a3a2 = ((c_mfsm_stateA = CMR) => Ccr I C_a3a2) in 
let new_C_mfsm_state = c_mfsm_stateA in 
let new_C_mfsm_D = ClkD in 
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let new_C_mfsm_rst = Rst in 

let new_C_mfsm_crqt_ = I_crqt_ in 

let new_C_mfsm_hold_ = new_C_bold A_ in 

let new_C_mfsm_ss = CB_ss_in in 

let new_C_mfsm_in valid = Piu_in valid in 

let new_C_sfsm_state = c_sfsm_stateA in 

let new_C_sfsm_D = ClkD in 

let new_C_sfsm_rst = Rst in 

let new_C_sfsm_hlda_ = I_hlda_ in 

let new_C_sfsm_ms = CB_ms_in in 

let new_C_efsm_cale_ = I_cale_ in 

let new_C_efsm_last_ = I_lastjn_ in 

let new_C_efsm_male_ = I_male_in_ in 

let new_C_efsm_rale_ = I_rale_in_ in 

let new_C_efsm_srdy_ = I_srdy_in_ in 

let new_C_efsm_rst = Rst in 

let I_cgnt_ = ~(c_mfsm_stateA = CM A3) in 
let I_mrdy_out_ = ((-IJildaJ => C_mrdy_del_ ! ARB) in 
let I_hold_ = new_C_holdA_ in 
let I_rale_out_ = 

((~I_hldaJ => 

~((c_sfsm_stateA = CSALE) A ((SUB ARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) A C_clkA) I ARB) in 
let I_male_out_ = 

((~I_hlda_) => 

~((c_sfsm_stateA = CSALE) A (-((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C_clkA) I ARB) in 
let I_last_out_ = ((~I_hlda_) => C_last_out_ I ARB) in 

let l_srdy_out_ = ((-I_cale_ V c_srdy_en) => ~(C_wrdy V C_rrdy V (c_mfsm_stateA = CMABT)) I ARB) in 
let I_be_out_ = ((-I_hlda_) => (SUBARRAY new_C_sizewrbe (9,6)) I ARBN) in 
let I_ad_out = ((new_C_iad_en_s_delA 

V ((c_mfsm_stateA = CMD1) A ~c_new_write A c_srdy_en) 

V ( (c_mfsm_state A = CM DO) A ~c_new_write A c_srdy_en) 

V ( (c_mf sm_state A = CMW) A (C_mfsm_state = CM DO) A ~c_new_write A c_srdy_en) 

V ((c_sfsm_stateA = CSALE) A (~(C_sfsm_state = CSALE))) 

V ((c_sfsm_stateA = CSALE) A c_new_write) 

V ((c_sfsm_stateA = CSD1) A c_new_wnte A (~(C_sfsm_state = CSRR))) 

V ((c_sfsm_stateA = CSDO) A c_new_write) 

V ((c_sfsm_stateA = CS ACK) A c_new_wnte)) => new_C_iad_out I ARBN) in 
let CB_rqt_out_ = ~(~(c_mfsm_stateA = CMI)) in 

let msO = (ALTER ARBN (0) (((c_mfsm_stateA = CMDO) A ~C JastJn J V 

((c_mfsm_stateA = CMW) A C Jock_in_) V 
(c_mfsm_stateA = CMABT))) in 

let ms 10 = (ALTER msO (1) (((c_mfsmj;tateA = CMA1) V (c_mfsm_stateA = CM AO) V 
(c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMD1) V 
((c_mfsm_stateA = CMDO) ACJastJnJ V (c_mfsm_stateA = CMW) V 
(c_mfsm_stateA = CMABT)))) in 

let ms210 = (ALTER ms 10 (2) «(c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CM A1 ) V 

(c_mfsm_stateA = CMAO) V (c_mfsm_stateA = CMA2) V 
(c_mfsm_stateA = CMD1) V (c_mfsm_stateA = CMDO) V 

(c_mfsm_stateA = CMW) V (c_mfsm_stateA = CMABT)) A -Pmm.failure A ~Piu_invaiid)) 
in 

let CB_ms_out = (((~(c_mfsm_stateA = CMI)) A (~(c_mfsm_stateA = CMR))) => ms210 1 ARBN) in 
let ssO = (ALTER ARBN (0) ((c_sfsm_stateA = CSAOW) V 

((c_sfsm_stateA = CSALE) A -c_new_write) V 
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(c_sfsm_stateA = CSACK))) in 
let sslO = (ALTER ssO (1) ~(c_sfsm_stateA = CSACK)) in 
let ss210 » (ALTER sslO (2) (-Pmm_failure A -Piu_invalid)) in 

let CB_ss_out = (((-(c_sftm_stateA = CSI)) A (~(c_sf8in_stateA = CSABT))) => ss210 1 ARBN) in 
let CB_ad_out = ((c_dfsm_cad_en) => 

((c_cout_sel = (WORDN 0)) => Par_Enc rep (SUBARRAY new_C_alaO (15,0)) I 
((c_cout_sel = (WORDN 1)) => Par_Enc rep (SUB ARRAY new_C_alaO (31,16)) I 
((c_cout_sel = (WORDN 2)) => Par_Enc rep (SUB ARRAY new_C_a3a2 (15,0)) I 
Par.Enc rep (SUB ARRAY new_C_a3a2 (31,16))))) I ARBN) in 
let C_ss_out = new_C_s s in 

let Disable_writes = ((~(c_sfsm_stateA = CSI)) A (~(c_sfsm_stateA = CSL)) A 

-((ChanneUD = (WORDN 0)) A (ELEMENT C_source (6))) A 
-((ChannellD = (WORDN 1 )) A (ELEMENT C_source (7))) A 
~( (ChanneUD = (WORDN 2)) A (ELEMENT C.source (8))) A 
-((ChanneUD = (WORDN 3)) A (ELEMENT C_source (9)))) in 
let CB_parity = new_C_parity in 

(I_cgnt_, I_mrdy_out_, I_hold_, I„rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, 
CB _rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable, writes, CB ..parity)” 

);; 


close_theory();; 


D.5 SU_Cont Specification 


File: s_clockl.ini 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the clock-level specification of the startup controller of the 
FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. 
The bulk of this code was translated from an M-language simulation program using a translator written 
by P.J. Windley at the University of Idaho. 


-% 


set_search_path (search_path() <8 [‘/home/titanB/dfura/ftep/piu^ol/hb/ 4 ]);; 
system 4 rm s_clock 1 .th ‘ ; ; 
new_theory 4 s_clockl 4 ;; 

map new_parent [ 4 saux_def 4 ; 4 aux_def 4 ; 4 array_def 4 ; 4 wordn_def 4 ] ;; 

let sc_state_ty = “:(sfsm_ty#bool#bool#bool#bool#bool#bool#wordn#wordD# 
bool#bool#bool#bool#bool#bool#bool#bool#bool)”;; 
let sc_state = “((S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7 ( S_fsm_bothbad, S_fsm_bypass, 

S_soft_sbot_del, S_soft_cnt, S_delay, S_bad_cpuO, SJ>ad_cpul, S_reset_cpuO, S_reset_cpul, 
S_cpu_hist, S_jxnm_fail, S_cpuO_fail, S_cpul_fail, S_piu_fail) 

: A sc_state_ty ) M ;; 

let sc_env_ty = 44 :(bool#bool#bool#bool#bool#bool#bool#boot#bool)”;; 
let sc_env = 44 ((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureCL, Failurel J 
: A sc_env_ty)”;; 

let sc out_ty = *‘:(wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool)”;; 

let sc_out = 44 ((S_ state, Reset_cport, Disablejnt, Reset_piu, Reset_cpuO, Reset_cpul, Cpujiist, 

Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail) 

: A sc_out_ty)’’;; 


% 

Next-state definition for EXEC instruction. 


-% 


let sEXEC_inst_def = new_definition 
( 4 sEXEC_inst‘, 

44 ! (S_fsm_state :sfsm_ty) 

(S_soft_cnt S_delay :wordn) 

(S_fsm_rst S_fsm_delay6 S_fsm_delayl7 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpuO 
S_bad_cpu 1 S_reset_cpuO S_reset_cpul S_cpu_hist S_pmm_fail S_cpuO_fail S_cpul_fail 
S_piu_fail :bool) 

(ClkA ClkB Rst Bypass Test Gcrh Gcrl FailureO_ Failurel_ :bool) . 
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sEXEC_inst (S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsm_bothbad, S_fsm_bypass, 

S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S_resct_cpuO, S_reset_cpul, 
S_cpu_hist, S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_piu_fail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrb, Gcrl, FailureO_, Failure 1_J = 

let new_S_fsm_state = 

((S_fsm_rst) => S START I 
((S_fsm_state = S START) => SRA I 

((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO I SPF) I SRA) I 
((S_fsm_state = SPF) => SCOI I 

((S_fsm_state = SCOI) => ((S _fsm_delayl7) => SCOF I SCOI) I 
((S_fsm_state = SCOF) => ST I 
((S_fsm_state = ST) => SC1II 

((S_ fsm.state = SC1I) => ((S_fsmjielayl7) => SC1F I SC1I) I 
((S_fsm_state = SC IF) => SS I 

((S_fsm_state = SS) => ((S_fsm_bothbad) => SSTOP I SCS) I 
((S_fsm_state = SSTOP) => SSTOP I 
((S_fsm_state = SCS) => ((S_fsm_dday6) => SN I SCS) I 
((S_fsm_state = SN) => ((S_fsm_delayl7) => SO I SN) I 
((S Jsm.state = SO) => SO I S_ILL)))))))))))))) in 
let s_fsm_sn = (new_S_fsm_state = SN) in 
let s_fsm_so = (new_S_fsm_state = SO) in 

let s_fsm jsrcp = (((~(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let s_fsm_sdi = (((~(new_S_fsm_state = SO)) A (~{S_fsm_state = SSTOP))) V (S_fsm_staie = SRA)) in 
let s_fsm_srp = ((new_S_fsm_state = SSTART) V ( ne w_S_f sm_state = SRA) 

V (new_S_fsm_stafce = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state * SCS)) in 
let s_fsm_srcO = ((~<Dew_S_fsm_state = SPF)) A ( ~(new_S_fsm_state * SCOI))) in 

let s_fsm_src 1 = ((-<iiew_S_fsm_state = ST)) A (-(new_S_fsm_state = SC II))) in 

let s_fsm_spf = ((S_fsm_state = SRA) A S_fsm_delay6 A ~S_fsm_rst) in 

let s_fsm_scOf = (new_S_fsm_state = SCOF) in 

let s_fsm_sclf = (new_S_f8m_state = SC IF) in 

let s_fsm_spmf = (new_S_fsm_state = SO) in 

let s_fsm_sb = (new_S_fsm_state = SSTART) in 

let s_fsm_src = ((new_S_fsm_state = SSTART) V ((S_fsm_state = SRA) A S_fsm_delay6) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC IF) 

V (new_S_fsm_8tate = SS) V ((S_fsm_state = SCS) A S_fsm_delay6)) in 

let s_fsm_sec = ((( ~(new_S_fsm_state = SSTOP)) A (~<Dew_S_fsm_state = SO))) V (S_fsm_state = SN)) in 

let s_fsm_srs = (((S_fsm_state = SPF) A -S_fsm_rst) V ((S_fsm_state = ST) A -S_fsm_rst)) in 

let s_fsm_scs = (new_S_fsm_state = SCS) in 

let new_S_soft_shot_del = (-Gcrh A Gcrl) in 

let s_soft_cnt_out = 

((s_fsm_sr$) => 

((Gcrl A -Gcrb A -S_soft_sbot_del) => (WORDN 1) I (WORDN 0)) I 
((Gcrl A -Gcrb A -S_soft_sbot_del) => (INCN 2 S_soft_cnt) I S_soft_cnt)) in 
let new_S_soft_cnt = ((-Gcrb A -Gcrl) => (WORDN 0) I s_soft_cnt_out) in 
let s_delay_out = 

((s_fsm_src V (s_fsm_scs A (ELEMENT S_delay (6)))) => 

((s_fsm_sec) => (WORDN 1) I (WORDN 0)) ! 

((s_fsm_sec) => (INCN 17 S_delay) I S_delay)) in 
let new_S_delay = s_delay_out in 

let s_cpuO_ok = (s_fsm_scOf A FailureO_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpul_ok = (s_fsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 
let oew_S_pmm_fail = 
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((s_fsm_sb A -s_fsm_spmf) => T I 
((~s_fsm_sb A s_fsm_spmf) => F I 
((~s_fsm_sb A ~s_fsm_spmf) => S_pmm_fail I ARB))) in 
let new_S_cpuO_fail = 

((s_fsm_sb A ~(s_cpuO_pk V Bypass)) => T I 
((~s_fsm_sb A (s_cpuO_ok V Bypass)) => F I 
((~s Jsmjsb A ~(s_cpuO_ok V Bypass)) => S_cpuO_faii I ARB))) in 

let new_S_cpul_fail = 

((s_fsm_sb A ~(s_cpul_ok V Bypass)) => T I 
((~s_fsm_sb A (s_cpul_ok V Bypass)) => F I 
((~s_fsm_sb A ~(s_cpul_ok V Bypass)) => S_cpul_fail I ARB))) in 
let new_S_piu_fail = 

((s_fsm_sb A ~(s_fsm_spf V Bypass)) => T I 
((~s_fsm_sb A (s_fsm_spf V Bypass)) => F I 
((~s Jsm_sb A ~(s_fsm_spf V Bypass)) => S _j)iu_fail I ARB))) in 
let s_cpuO_s elect = ((s_fsm_sn V s_fsm_so) A ~S_cpuO_fail) in 
let s_cpul_select = ((s_fsm_sn V s_fsm_so) A S_cpuO_fail A ~S_cpul_fail) in 
let new_S_b ad_cpuO = 

((s_fsm_sb A ~s_cpuO_select) => T I 
((~s_fsm_sb A s_cpuO_s elect) => F I 
((~s Jsm_sb A ~s_cpuO_select) => S J>ad_cpuO I ARB))) in 
let new_S_bad_cpul = 

((s_fsm_sb A ~s_cpul_select) => T I 
((~s_fsm_sb A s_cpul_select) => F I 
((~s_fsm_sb A ~s_cpul_select) => S_bad_cpul I ARB))) in 
let new_S_reset_cpuO = (new_S_bad__cpuO A s_fsm_srcO) in 
let new_S_reset_cpul = (new_S_bad_cpul A s_fsm_srcl) in 
let new_S_cpu_bist = (S_reset_cpuO A S_reset_cpul A Bypass) in 
let new_S_fsm_rst = Rst in 

let new_S_fsm_del ay 6 = (ELEMENT s_delay_out (6)) in 

let new_S_fsm_delay 1 7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in 
let new_S_fsm_bothbad = (new_S_cpuO_fail A new_S_cpul_fail) in 
let new_S_fsm_bypass = Bypass in 

(new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay 17 # new_S_fsm_bothbad, 
new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, uew_S_delay, new_Sbad_cpuO, new_S_bad_cpul, 
new_S_reset_cpuO, new_S_reset_cpul, new_S_cpu_hist, new_S_pmm_fail, new_S_cpuO_fail, new_S_cpul_fail, 
new_S_piu_fail)” 

);; 

Output definition for EXEC instruction. 


let sEXEC_out_def = new_definition 
(*sEXEC_out\ 

44 ! (S_fsm_state :sfsm_ty) 

(S_soft_cnt S_delay :wordn) 

(S_fsm_rst S_fsm_delay6 S_fsm_delayl7 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpuO 
S_bad_cpul S_reset_cpuO S_reset_cpul S_cpu_hist S_pmm_fail S_cpuO_fail S_cpul_fail 
S_piu_fail :bool) 

(ClkA ClkB Rst Bypass Test Gcrh Gcrl FailureO_ Failurel_ :bool) . 
sEXEC_out (S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsm_bothbad, S_fsm_bypass, 

S_soft_sbot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S_reset_cpuO, S_reset_cpul, 
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S_cpu_hist, S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_piu_fail) 

(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failure 1_) = 

let new _S_fsm_state = 

((S_fsm_rst) => SSTART ! 

((S_fsm_state = SSTART) => SRA I 

((S_fsm_state = SRA) => (( S_f sm_delay6) => ((S_fsm_bypass) => SO I SPF) I SRA) I 
((S_fsmjstate = SPF) => SCOI I 

((S_fsm_state = SCOI) => ((S_fsm_delayl7) => SCOF I SCOI) I 
((S_fsm_state = SCOF) => ST I 
((S_fsm_state = ST) => SC1I I 

((S_fsm_state = SC1I) => ((S_fsm_delayl7) => SC1F I SC II) I 
((S_fsm_state = SC IF) => SS I 

((S_fsm_state = SS) => ((S_fsm_botfabad) => SSTOP I SCS) I 
((S_fsm_state = SSTOP) => SSTOP I 
((S _fsm_state = SCS) => ((S _fsm_delay6) => SN I SCS) I 
((SJsm.state = SN) => ((S_fsm_delayl7) => SO I SN) I 
((S_fsm_state = SO) => SO I S_ILL)))) )))))))))) in 
let s_fsm_sn = (new_S_fsm_state = SN) in 
let s_fsm_so = (new_S_fsm_state = SO) in 

let s_fsm_srcp = ( ( (~ (new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let s_fsm_sdi = (((~(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let s_fsm_srp = ((Dew_S_fsm_state = SSTART) V ( ne w_S_f sm_state = SRA) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SC IF) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in 
let s_fsm_srcO = ((~(new_S_fsm_state = SPF)) A ( ~(new_S_f sm_s tate = SCOI))) in 

let s_fsm_srcl = ((-(new_S_fsm_state « ST)) A (-(new_S_fsm_state = SCI I))) in 

let s_fsm_spf = ((S_fsm_state = SRA) A S_fsm_delay6 A ~S_fsm_ J rst) in 

let s_fsm_scOf = (new_S_fsm_state = SCOF) in 

let s_fsm_sclf = (new_S_fsm_state = SC IF) in 

let s_fsm_spmf = (new_S_fsm_state = SO) in 

let s_fsm_sb = (new_S_fsm_state = SSTART) in 

let s_fsm_src = ((new_S_fsm_state = SSTART) V ((S_fsm_state = SRA) A S_fsm_delay6) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC IF) 

V (new_S_fsm_state = SS) V ((S_fsm_state = SCS) A S_fsm_delay6)) in 

let s_fsm_sec = (((~<new_S_fsm_state = SSTOP)) A (~(new_S_fsm_state = SO))) V (S_fsm_state = SN)) in 

let s_fsm_srs = (((S_fsm_state = SPF) A -S_fsm_rst) V ((S_fsm_state = ST) A ~S_fsm_rst)) in 

let s_fsm_scs = (new_S_fsm_state = SCS) in 

let new_S_soft_shot_del = (-Gcrh A Gcrl) in 

let s_soft_cnt_out = 

((s_fsm_srs) => 

((Gcrl A -Gcrh A -S.soft.sbot.del) => (WORDN 1) I (WORDN 0)) I 
((Gcrl A -Gcrh A -S_soft_shot_del) => (INCN 2 S_soft_cnt) I S_soft_cnt)) in 
let new_S_soft_cnt = ((-Gcrh A -Gcrl) => (WORDN 0) I s_soft_cnt_out) in 
let s_delay_out = 

((s_fsm_src V (s_fsm_scs A (ELEMENT S_delay (6)))) => 

((s_fsm_sec) => (WORDN 1) I (WORDN 0)) I 
((s_fsm_sec) => (INCN 17 S_delay) I S_delay)) in 
let new_S_delay = s„delay_out in 

let s_cpu0_ok = (s_fsm_scOf A FailureO_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpul_ok = (s_fsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 
let new_S_pmm_fail = 

((s_fsm_sb A -s_fsm_spmf) => T I 
((~s_fsm_sb A s_fsm_spmf) => F I 
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((~s_fsm_sb A ~s_fsm_spmf) => S_pmm_fail I ARB))) in 
let new_S_cpuO_fail = 

((s_fsm_sb A -(s_cpuO__ok V Bypass)) => T I 
((~s_fsm_sb A (s_cpuO_ok V Bypass)) => F I 
((—s__fsm_sb A -(s_cpuO_ok V Bypass)) => S^cpuOJail I ARB))) in 
let new_S_cpu 1 _fail = 

((s_fsm_sb A -(s_cpul_ok V Bypass)) => T I 
((-s_fsm_sb A (s_cpul„ok V Bypass)) => F I 
((~s_fsm_sb A -(s_cpul_ok V Bypass)) => S_cpul_fail I ARB))) in 
let new_S_piu_fail = 

((s_fsm„sb A ~(s_fsm_spf V Bypass)) => T I 
((~s_fsm_sb A (s_fsm_spf V Bypass)) => F I 
((-s_fsm_sb A ~(s_fsm_spf V Bypass)) => S_piu_fail I ARB))) in 
let s_cpuO_select = ((s_fsm_sn V s_fsm_so) A -S_cpuO_fail) in 
let s_cpul_select = ((s_fsm_sn V s_fsm_so) A S_cpuO_fail A ~S_cpul_fail) in 
let new_S_bad_cpuO = 

((s_fsm_sb A ~s_cpuO_s elect) => T I 
((~s_fsm_sb A s_cpuO_select) => F I 
((~s_fsm_sb A ~s_cpuO_select) => S_bad_cpuO I ARB))) in 
let new_S_bad_cpul = 

((s_fsm_sb A -s_cpul_select) => T I 
((~s_fsm_sb A s_cpul_select) => F I 
((~s_fsm_sb A ~s_cpul_select) => S_bad_cpul t ARB))) in 
let new_S_reset_cpuO = (new_S_bad_cpuO A s__fsm_srcO) in 
let new_S_reset_cpu 1 = (new_S_bad_cpu 1 A s_fsm_srcl) in 
let new_S_cpu_hist = (S_reset_cpuO A S_reset_cpul A Bypass) in 
let new_S_fsm_rst = Rst in 

let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in 

let new_S_fsm_delay 1 7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in 
let new_S_fsm_bothbad = (new_S_cpuO_fail A new_S_cpul_fail) in 
let new_S_fsm_bypass = Bypass in 

let ssO = (ALTER ARBN (0) ((new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) 

V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) 

V (new_S_fsm_state = SO))) in 

let ssl = (ALTER ssO (1) ((new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SC II) V (new_S_fsm_state = SC IF) 

V (new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) 

V (new_S_fsm_state = SCS))) in 

let ss2 = (ALTER ssl (2) ((new_S_fsm_state = SPF) V (new_S_fsm_state = SCOI) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SO))) in 
let ss3 = (ALTER ss2 (3) ((new_S_fsm_state = SRA) V (new_S_fsm_state = SPF) 

V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1I) 

V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) 

V (new_S_fsm_state = SO))) in 

let S_state = ss3 in 

let Reset_cport = s_fsm_srcp in 

let Disable Jnt = (-(s_fsm_sn A (ELEMENT s_delay_out (6))) A s_fsm_sdi 

A ((Test) => -(ELEMENT s_delay_out (5)) I -(ELEMENT s_delay_out (16)))) in 
let Reset_piu = s_fsm_srp in 
let Reset_cpuO = new_S_reset_cpuO in 
let Reset_cpul = new_S_reset_cpul in 
let Cpu_hist = new_S_cpu_hist in 
let Piu_fail = new_S_piu_fail in 
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let CpuO_fail = new_S_cpuO_fail in 
let Cpul_fail = new_S_cpul_fail in 
let Pmm_fail = new_S_pmm_fail in 

(S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpuO, Reset_cpu 1 , Cpu_hist, Piu_fail, CpuO_fail, 
Cpul_fail, Pmm_fail)” 

);; 

close_theory();; 
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Appendix E ML Source for the PIU Block-Level Specification. 

This appendix contains the HOL model for the PIU block-level structural specification. 

% 


File: piu_block.ml 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 


This file contains the ml source for the block-level specification of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. At this level 
the blocks correspond to the four PIU ports and the startup controller. 

% 


setjsearch _path (search^patbO @ [%ome/titan3/dfura/ftep/piuAolAib/‘; 

‘/home/dtan3/dfura/ftep/piu/hol/pport/‘ ; 
‘/home/titan3/dfara/ftep/piu/hol/cport/‘; 
l /home/dtan3/dfura/ftep/piu/hol/mport/‘ ; 
l /home/dtan3/dfura/ftep/piu/hol/cport/‘ ; 
‘/home/titan3/dfura/ftep/piu/hol/sucont/ 4 ] ); ; 


system *rm piu_block.th 4 ;; 
new_tbeory 4 piu_block*;; 


loadf ‘abstract 4 ;; 


map new .parent [aux.def ;‘p_clockr;‘c_clockl‘;‘m_clockl‘;‘c_clock:r;‘s_clockl‘ 


let rep_ty = abstract.type ‘aux.def ‘ Andn‘;; 

let PIU_Block_SPEC = new.defimdon 
(‘PIU_Block_SPEC‘, 

“! (rep: A rep_ty) 

(P_fsm_state :pfsm_ty) 

(P addr P_be_ P_size :wordn) 

(P destl P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down PJock_ 

P_lock_inh_ P_male_ P_rale_ :bool) 

(Cmfcm.state :cmfsm_ty) (C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty) 

(C_mfsm_ss C_sfsm_ms C.sizewrbe C_ss C.source C_data_in C_iad_out C _iad_in C_alaO C_a3a2 : wordn) 
(C_mfcm_D C_mfsm_rst C_mfsm_crqt_ Cjnfsm_hold_ C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ 
C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C.clkA CJast _in_ C _lock_in_ C Jast_out_ C_hold_ C_holdA_ C_cout_0_le_del C_cin_2_le 
C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy Cjparity :bool) 

(M_fsm_state :mfsm_ty) 

(M.count M_addr M_be M_rd_data M.detect : wordn) 

(M_fsm_male_ M_fsm_last_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M.wwdel M_panty :bool) 

(R_fsm_state :rfsm_ty) ^ . 

(R_ctrO_in R_ctrO R_ctiO_new R_ctrO_out R_ctrl_in R_ctrl R_ctrl_new R_ctrl_out R_ctr2_m R_ctr2 R_ctr2_new 
R_ctf2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R _gcr R_sr 
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R_reg sel R_busAJatch rwordn) 

(R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_jst R_ctrO_mux_sel R_ctrO_irden R_ctrO_cry R_ctrO_orden 
R_ctrl_mux_sel R_clrl_irdeo R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden 
R_ctr3_mux_sel R_ctr3_irdeo R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden 
R_intO_dis R_int3_dis R_c01_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ :bool) 
(S_fsm_state ;sfsm_ty) 

(S_soft_cnt S_delay rwordn) 

(S_fsm_rst S_fsm_dclay6 S_fsm_delayl7 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpuO S_bad_cpul 
S_reset_cpuO S_reset_cpul S_cpu_hist S_pmm_fail S_cpuO_fail S_cpu 1 _fail S^piu_fail rbool) 

(L_ad_in L_bc_ rwordn) 

(ClkA ClkB Rst L_ads_ L„den_ L_wr L_lock_ rbool) 

(CB_rqt_in_ CB_ad_m CB_ms_in CB_ss_in Id CbannellD rwordn) 

(ClkD rbool) 

(MB_data_in rwordn) 

(Edac_en_ rbool) 

(Bypass Test FailureO_ Failurel_ rbool) 

(L_ad_out rwordn) 

(L_ready_ rbool) 

(CB_ad_out CB_ms_out CB_ss_out rwordn) 

(CB_rqt_out_ rbool) 

(MB.addr MB_data_out rwordn) 

(MB_cs_eeprom_ MB_cs_sram„ MB_we_ MB_oe_ rbool) 

(Led rwordn) 

(IntO_ Inti Int2 Int3_ Cpu_hist rbool) . 

PIU_B lock_S PEC rep 

(P_addr, P_destl, PJ>e_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, 

P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_, 

C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C _jnfsm_hold_, C_mfsm_ss, C_mfsm_m valid, 
C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, Cjifsm_ms f 

C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, 
C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_m_, C_ss, CJast_out_, 

C_hold_, C_boldA_, C_cout_0_le_del , C_cin_2_le, C_mrdy_del_, C_iad_en_s_del , C_i ad_en_s_delA , 
C_wrdy, C_rrdy, C_parity, C_source, C_data_in, CJad_out, C_iad_in, C_alaO,C_a3a2, 

M_fsm_state, M_fsm_male_, M_fsmjast_, M_fsm__mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, 
M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect, 

R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsmjast_, R_fsm _jst, R_ctrO_in, R_ctrO_mux_sel, R_ctrO, 
R_ctrO_irden, R_ctrO_new, R_ctrO_cry, R_ctrO_out, R_ctrO_orden, R_ctrl Jn t R_ctrl_mux_sel, 

R_ctrl, R_ctrl_irdeo, R_ctrl_new, R_ctrl_cry, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, 
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, 
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icrJoad, R_icr_old, 
R_icr_mask, R_icr_rden, R Jcr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_intO_dis, 
R_int3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del , R _int2_en, R_wr, R_cntlatch_del, R_srdy_del_, 
R_reg_sel, R_busA_latch, 

S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, 
S_soft_cnt> S_delay, S_bad_cpuO, S_bad_cpul, S_reset_cpuO, S_reset_cpul , S_cpu_hist, S_pmm_fail, 
S_cpuO_fail, S_cpul_fail, S_piu_fail) 

(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_ t L_be_, L_wr, LJock_, 

CB_rqt_m_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChannellD, 

MB_data_in, Edac_eo_, 

Bypass, Test, FailureO_, Failure 1_) 

(L_ad_out, L_ready_, 
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CB_ad_out, CB_ms_out, CB_ss_out, CB_rqt_out_, 

MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, 

IntO_, Inti, Int2, Int3_, Led, Cpujiist) = 

? (i_ad i_be_ :wordn) 

(i_male_ i_rale_ i_crqt_ i_cgnt_ i_cale_ i_mrdy_ i_srdy_ i Jast_ i_bold_ i Jilda_ i_lock_ :bool) 

(c_ss rwordn) 

(disable. writes cb_parity :bool) 

(ccr :wordn) 

(reset.error piu.invalid :bool) 

(mb_parity :bool) 

(s.state :wordn) 

(reset.cport disable Jnt reset_piu reset.cpuO reset.cpul piu Jail pmmjail cpuOJail cpul Jail :bool) . 

(pjnterp rep ((P_addr, P_dc.ll, P_be_, P_wr, P_f S m_state, P_fsm_rst. PJsm.sack, PJsm_cgnt_, P_fsm_hold_, 

P rqt, P_size, P_down, P_lock_, PJock_inh_, P_male_, P_rale_), 

(ClkA, ClkB, reset_piu, L_adjn, L_ads_, L_den_, L_be_. L_wr, L_lock_, i_ad, i_cgnt_, i_hold_, i_srdy_), 
(L_ad_out, L_ready_, i_ad, i_ad, ij>e_, i_rale_, i_male_, i_crqt_, i_cale_, Lmrdy_, i_last_, i_hlda_, ijockj)) A 

(cjnterprep ((C_mfsm_state,C_mfsm_D,C_jnfKm_rst,C_mfsm_crqt_,C_mlsin_hold_ > C_mfsm_ss,C_infsm_invalid, 

C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ins, 

C_efsm_state,C_efsm_cale_,C_efsmJast_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, 

C_wr,C_sizewrbe,C_clkA,CJastJn_,CJockJn_,C_ss,CJast_out_, 

C_hold_,C_holdA_,C_cout_0Je_del,C_cin_2_le,Cjnrdy_del_,C_iad_en_s_del,C_iad_en_s_delA 1 

C_wrdy,C_rrdy,C_parity,C_source,C_data_in ,C Jad_out,C Jad Jn,C_al aO,C_a3a2), 

(i_ad, i_be_, i_mrdy_, i_rale_, i_male_, i_last_, i_srdy_, i_lock_, i_cale_, i_hlda_, i_crqt_, 

CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, 

reset_cport. ClkA, ClkB, ClkD, Id, ChannellD, pmmjail, piu_invalid, ccr, reset_error), 

(i_cgnt_, i_mrdy_, i_hold_, ijrale_, i_male_, i_last_, i_srdy_. Lad, i_be_, 

CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, c_ss, disable_wntes, cb_parity)))A 
(m_interp rep ((M Jsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mxdy_, M Jsmjst. M_count, M_se, 

M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, Mjd.data, M_detect), 

(ClkA, ClkB, reset_piu, reset_cport, disable_writes, i_ad, i_male_, i_last_, i_be_, 
i_mrdy_, MB_data_in, Edac_en_. reset_eiror), 

(i_ad, i_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, mb_panty))) 
(r_interp rep ((R Jsm_state. R_fsm_ale_, R_fsm_mrdy_, R JsmJasL, RJsm.rst, R_ctrf>_in, R_ctrO_mux_sel, R_ctrO, 
R_ctiO_irden, R_ctrO_new, R_ctrO_cry, R_ctrO_out, R_ctrO_orden, R_ctrl_in, R_ctrl_mux_sel, 

R_ctrl, R_ctrl_irden, R_ctrl_new, R_ctrl_cry, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, 
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, 
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, 
R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_intO_dis, 
R_int3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, 
R_reg_sel, R.busAJatcb), 

(ClkA, reset_piu, i_ad, i_rale_, i_last_, i_be_, i_mrdy_, disable_int, disable_writes, 
cpuOJail, cpul Jail, reset_cpuO, reset_cpul, piu Jail, pmmjail, s_state, Id, 

ChannellD, cb_parity, mb_parity, c_ss), 

(i_ad, i_srdy_, IntO_, Inti , Int2, Int3_, ccr, Led, reset_error, piujnvalid))) A 
(sjnterp rep ((S Jsm_state, SJsm_rst, SJsm_delay6, SJsm_delayl7, SJsm_bothbad, SJsm_bypass, 

S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S_reset_cpuO, S_reset_cpul, 

S_cpu_hist S_pmmJ.il, S_cpuOJail, S_cpul Jail, S_piujail), 

(ClkA, ClkB, Rst, Bypass, Test, Led, FailureO_, FailurelJ, 
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(s_state, reset_cport, disable_mt, reset^piu, reset_cpuO, reset_cpul, Cpu_hist, 
piu_fail» cpu0_fail, cpul_fail, pmm_fail)))” 

);; 

close_theory();; 
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Appendix F ML Source for the PIU Clock-Level Specification. 

This appendix contains the HOL model for the clock-level specification of the PIU. 


File: piu_clockl jnl 

Author: (c) D.A. Fura 1992 

Date: 31 March 1992 

This file contains the ml source for the clock-level specification of the FTEP PIU, an ASIC 
developed by the Embedded Processing Laboratory, Boeing High Technology Center. 

% 


set_search_path (search_path() @ [ ‘ yhome/titan3/dfura/ftep/piu/hol/lib/‘ ; 

4 /home/titan3/dfura/ftep/piu/hol/pport/‘ ; 
‘/home/titan3/dfura/ftep/piuyhol/cport/‘ ; 
‘/home/titan3/dfura/ftep/piu/hol/mport/‘; 
‘/home/titan3/dfura/ftep/piu/hol/rport/‘; 
4 /home/titan3/dfura/ftep/piu/hol/sucont/‘]);; 


system 4 rm piu_clockl.th‘;; 
new_theory 4 piu_clockl 

map new_parent [ < paux_def‘;‘caux_def';‘maux_def';‘raux_def‘;'saux_def;'aux_def‘;‘array_def‘;'wordn_def‘];; 

loadf ‘abstract*;; 

let MSTART = “WORDN 4”;; 
let MEND = “WORDN 5”;; 
let MRDY = “WORDN 6”;; 
let MWATT = “WORDN 7”;, 
let MABORT = “WORDN 0”;; 

let SACK = “WORDN 5”;; 
let SRDY = “WORDN 6";; 
let SWATT = “WORDN 7’*;; 
let SABORT = “WORDN 0”;; 

let piu_state_ty = “:(wordD#bool#wordD#bool#pfsm_ty#bool#bool#bool#bool#bool#wordD#bool#bool#bool#bool#bool# 

cmfsm_ty#bool#bool#bool#bool#wordn#bool# 
csfsm_ty#bool#bool#bool#wordn# 
cefsm_ty#bool#bool#bool#bool#bool#bool# 
bool#wordn#bool#bool#bool#wordD#bool# 
bool#bool#boo l#boo l#bool#boo l#bool# 

bool#bool#bool#wordn#wordn#wordn#wordn#woTdn#woTdn# 

mfsm_ty#bool#bool#bool#bool#wordn#bool#bool#wordn#wordii#bool#bool#bool#wordn#wordD# 

rfsm_ty#bool#bool#bool#bool#bool#wordD#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool# 

wordD#bool#wordD#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordD#bool# 

wordn#t>ool#wordD#bool#wordn#bool#bool#wordn#wordii#bool#wordn#wordn#bool#wordo#bool#wordn# 
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bool#bool#bool#bool#bool#booWbool#bool#bool#bool#wordo#wordD# 

sfsm_ty#bool#bool#bool#bool#bool#bool#wardD#wordn# 

bool#bool#booI#bool#bool#booWbool#bool#bool)”;; 

let piu_state = “((P_addr, P_destl, P_be_, P_wr, P_fsm_state, P_fsm _rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_ > 

P_rqt, P_size, P_down, P_lock_ 1 P_lock_inh_, P_male_, P_rale_, 

C_mfsm_s tate ,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C _jnfsm_bold_,C_mf sm_s s , C_mfsm_in valid, 

C_sf sm_s tate ,C_sfsm_D ,C_s fsm^rst, C_s fsm_hlda_, C_s fsm_ms , 

C_ef sm_s tate , C_efsm_cale_,C_efsm_las t_ ,C_ef sm _male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, 
C_wr,C_sizewrbe,C_clkA,C Jast_m_ 1 CJock_m_ i C_ss,CJast_out_, 

C_hold_,C_holdA_,C_cout_0_le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_iad_en_s_deiA, 

C_wrdy,C_rrdy,C^anty,C_source t C_data_in,C_iad_out,C_iad_in,C_alaO,C_a3a2, 

M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, 
M_be, M_rdy, M_wwdel, M^parity, M _jd_data, M_detect, 

R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctrO_in, R_ctrO_mux_sel, R_ctrO, 
R_ctrO_uden, R_ctrO_new, R_ctrO_cry, R_ctrO_out, R_cfaO_orden, R_ctrl_in, R_ctrl_mux_sel, 

R_ctrl, R_ctrl_irden, R_ctrl_new, R_ctrl_cry, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, 
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3 _in, R_ctr3_mux_sel, 
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, 
R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccrjden, R_gcr, R_gcr_rden, R_sr, R_sr _jden, R_intO_dis, 
R_mt3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, 
R reg sel. R_busA_latch, 

S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delayl7, S_fsmjx)thbad, S_fsm_bypass, 

S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad_cpul, S_ieset_cpuO, S_reset_cpul, 

S_cpu_hist, S_pmm_fail, S_cpuO_fail, S_cpul__fail, S_piu_fail) 

: A piu_state_ty)”;; 

let piu_env_ty = “:(bool#bool#bool#wordn#bool#bool#wordD#bool#bool# 
wordn#wordn#wordD#wordn#bool#wordn#wordn# 
wordn#bool# 
bool#bool#bool#bool)”;; 

let piu_env = “((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, 

CB_rqt_in_, CB_ad_in, CB_ms_m, CB_ss_in, ClkD, Id, ChannellD, 

MB_data_in, Edac_en_, 

Bypass, Test, FailureO_, Failurel_) 

: A piu_env_ty)”;; 

let piu_out_ty = “:(wordn#bool# 

bool#woidn#woidn#wordn# 
word n#wordn#bool#bool# boo l#bool# 
boo l#booI#bool#boo l#wordn# 
boolfboolfbooWboolibooWbooWbool)”;; 
let piu_out = “((L_ad_out, L_ready_, 

CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, 

MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, 

IntO_, Inti, Int2, Int3_, Led, 

Reset_cpuO, Reset_cpul, Cpu_hist, Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail) 

: A piu_out_ty)”;; 

let rep_ty = abstract_type ‘aux_def ‘Andn';; 

% 

Next-state definition for EXEC instruction. 

% 
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let piuEXEC.inst.def = new.definition 
(‘piuEXEC.inst 4 , 

44 ! (rep^ep.ty) 

(P.fsm.state :pfsm_ty) 

(P_addr P_be_ P.size :wordn) 

(P_destl P_wr P_fsm_rst P.fsm.sack P.fsm.cgnt. P_fsm_hold_ P.rqt P.down P_lock_ 

P_lock„inh_ P_male_ P_rale_ :bool) 

(C.mfsm.state ;cmfsm_ty) (C.sfsm.state :csfsm_ty) (C_efsm_state :cefsm_ty) 

(C_mfsm_ss C.sfsm.ms C_sizewrbe C.ss C.source C_data_in C.iad.out CJadJn C.alaO C.a3a2 :wordn) 
(C_mfsm_D C.mfsm.rst C_mfsm_crqt_ C.mfsm.hold. C_mfsm_invalid C.sfsm.D C_sfsm_rst C_sfsm_hlda_ 
C.efsm.cale. C.efsm.last. C.efsm.male. C_efsm_iale_ C.efsm.srdy. C.efsm.rst 
C wr C.clkA C.last.m. C.lock.m. CJast.out. C_hold_ C.holdA. C.cout.O .le.del C_cin_2_le 
C_mrdy_del_ C_iad.en_s.del C_iad.en_s.delA C.wrdy C.rrdy Charity :bool) 

(M.fsm.state :mfsm_ty) 

(M.count M.addr M_be M.rd.data M.detect :wordn) 

(M.fsm.male. M.fsm .last. M_fsm_mrdy_ M.fsm.rst M_se M.wr M.rdy M.wwdel M_panty :bool) 

(R.fsm.state :rfsm_ty) 

(R.ctiO.m R.ctrO R.ctiO.new R.ctrO.out R.ctrl.in R.ctrl R.ctrl.new R_ctrl_outR_ctr2_in R.ctr2 R_ctr2_new 
R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R.icr.old R.icr.mask R Jcr R.ccr R_gcr R.sr 
R_reg_sel R.busA.latch :wordn) 

(R.fsm.ale. R_fsm_mrdy_ R_fsm_last_ R.fsm.rst R.ctrO.mux.sel R.ctrO.irden R_ctrO_cry R.ctrO.orden 
R.ctrl _mux_sel R.ctrl.irden R.ctrl _cry R.ctrl _orden R_ctr2.mux.sel R_ctr2.irden R.ctr2.cry R_cti2_orden 
R_ctr3_mux sel R ctr3_irden R_etr3_cry R_ctr3.orden R.icr.load RJcr.rden R.ccr.rden R-gcr_rden R.sr.rden 

R. intO.dis R_int3_dis R_c01.cout.dei R.intl.en R_c23.cout.del R.int2.en R.wr R.cnUatch.del R_srdy_del_ :bool) 

(S.fsm.state :sfsm.ty) 

(S.soft.cnt S.delay :wordn) 

(S.fsm.rst S_fsm_delay6 S_fsm_delayl7 S.fsm.bothbad S.fsm.bypass S.soft.shot.del S.bad.cpuO S.bad.cpul 

S. reset.cpuO S.reset.cpul S.cpu.hist S _pmm_fail S.cpuO.fail S.cpul.fail S_piu_fail :bool) 

(L.ad.in L.be. :wordn) 

(ClkA ClkB Rst L.ads. L.den. L.wr LJock. :bool) 

(CB.rqt.in. CB.ad Jn CB.ms.in CB.ss.m Id ChannellD :wordn) 

(ClkD :bool) 

(MB.data.in twordn) 

(Edac.en. :bool) 

(Bypass Test FailureO. Failure 1. :bool) . 
piuEXEC.inst rep 

(P.addr, P.destl, P_be_, P_wr, P.fsm.state, P.fsm.rst, P.fsm.sack, P.fsm.cgnt., P.fsm.hold., 
p rqt, P.size, P.down, PJock_, P_lock_inh_, P.male., P^rale., 

C.mfsm.state, C.mfsm.D, C.mfsm.rst, C.mfsm.crqt., C.mfsm.hold., C.mfsm.ss, C.mfsm.in valid, 
C.sfsm.state, C.sfsm.D, C.sfsm.rst, C.sfsm.hlda., C.sfsm.ms, 

C.efsm.state, C_efsm_cale_, C.efsm.last., C.efsm.male., C.efsm.rale., C_efsm_srdy_, C.efsm.rst, 

C.wr, C.sizewrbe, C.clkA, C.last.in., C_lock_in_, C.ss, C.last.out., 

C_hold_, C.holdA., C.cout.O Je.del, C_cin_2_le, C.mrdy.del., C.iad.en.s.del, C_iad.en_s.delA, 
C.wrdy, C.irdy, C_parity, C.source, C.data.in, C.iad.out, C.iad.in, C.alaO,C_a3a2, 

M.fsm.state, M.fsm.male., M.fsm.last., M.fsm.mrdy., M.fsm.rst, M.count, M_se, M.wr; M.addr, 
M_be, M.rdy, M.wwdel, M_parity, M.rd.data, M.detect, 

R.fsm.state, R.fsm.ale., R.fsm.mrdy., R.fsm.last., R.fsm.rst, R.ctxO.in, R.ctrO.mux.sel, R.ctiO, 
R.ctrO.irden, R.ctiO.new, R.ctrO.cry, R.ctrO.out, R.ctrO.orden, R.ctrl.in, R.ctrl .mux.sel, 

R.ctrl, R.ctrl.irden, R.ctrl.new, R.ctrl .cry, R.ctrl .out, R.ctrl.orden, R_ctr2.in, R_ctr2.mux.sel, 
R_ctr2, R_ctr2_irden, R_ctr2.new, R_ctr2„cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_jnux_sel, 
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R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, RJcrJoad, R_ict_old, 

R_icr _jnask, R_icr_rden, R_icr, R.ccr, R_ccr_rden, R_gcr, R_gcr_rden f R_sr, R_sr_rden, R_intO_dis, 
R_int3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_ J 
R_reg_sel, RJ>usAJatch, 

S_fsm_state, S_fsm_rst, S_fsm_delay6, SJsmJelayl?, SJsmJ)othbad, S_fsm_bypass, S_soft_shot_del, 
S_soft_cnt, S.delay, S_bad_cpuO, SJ>ad_cpul, S_reset_cpuO, S.reset.cpul, S_cpu_hist, S_pmm_faiL 
S_cpuO_fail, S_cpul_fail, S_piu_fail) 

(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_dcn_, L_be_, L_wr, LJock., 

CB_rqtJn_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChannellD, 

MB_data_in, Edac_en_, 

Bypass, Test, FailureO_, Failure 1_) = 

let oew_P_fsm_state = 

((P_fsm_rst) => PA I 

((P_fsm_state = PH) => ((~P_fsm .bold J => PH I PA) I 
((P_fsm_state = PA) => 

(((P.rqt A ~P_destl ) V (P_rqt A P_destl A ~P_fsm_cgnt_)) => PD I 
((-P.fsmJiokL A P Jock J => PH I PA)) I 
((P_fsm_state = PD) => 

(((P_fsm__sack A P_fsm_hold_) V (P_fsm_sack A ~P_fsm_hold_ A -PJockJ) => PA I 
((P_fsm_sack A ~P_fsm .hold. A PJockJ => PH I PD)) I P JLL)))) in 

let c_wnte = (((-(C_mfsm_state = CM I)) A (~(C_mfsm_state = CMR))) => C_wr I (ELEMENT C.sizewrbe (5))) in 

let c_busy = (-((SUB ARRAY CB_rqtJn_ (3,1)) = (WORDN 7))) in 

let c_grant = ((((SUB ARRAY Id ( 1 ,0)) = (WORDN 0)) A -(ELEMENT CB _rqt Jn_ (0))) 

V (((SUB ARRAY Id (1 ,0)) = (WORDN 1 )) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CB.rqtJn. (1))) 

V (((SUB ARRAY Id (1 ,0)) = (WORDN 2)) A -(ELEMENT CB_rqtJn_ (0)) 

A (ELEMENT CB_rqtJn_ (1)) 

A (ELEMENT CB_rqtJn_ (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB.rqtJn. (0)) 

A (ELEMENT CB_rqtJn_ (1)) 

A (ELEMENT CB_rqtJn_ (2)) 

A (ELEMENT CB jqt Jn_ (3)))) in 
let c.&ddressed = (Id = (SUBARRAY C_source (15,10))) in 
let new_C_mfsm_state = 

((C_mfsm_rst) => CMI I 
((C.mfsm.state = CMI) => 

(C.mfsmJ) A ~C_mfsm_crqt_ A ~c J>usy A ~C_mf sm_in valid ) => CMR I CMI I 
((Cjnfsm.state = CMR) => (C_mf$m J) A c .grant A C.mfsm.hold J => CM A3 I CMR I 
((C_mfsm_state = CM A3) => ((C.mfsm.D) => CMA1 I CMA3) I 
((C_mfsm_state * CM A 1 ) => 

(C_mfsm_D A (C.mfsm.ss = A SRDY)) => CMA0 1 
(C jnfsm_D A (Cjnfsnuss = A S ABORT)) => CMABT I CMA1 I 
((C_mfsm_state = CM AO) => 

(C.mfsmJD A (C _mfsm_ss = A SRDY)) => CMA2 \ 

(C_mfsmJ3 A (C.mfsm.ss = A S ABORT)) => CMABT I CMA0 1 
((C_mfsm_state = CMA2) => 

(C.mfsm.D A (C_mfsm_ss = A SRDY)) => CMD1 I 
(C.mfsm J) A (Cjnfcm.ss = A SABORT)) => CMABT I CMA2 1 
((C_mfsm_state = CMD1 ) => 

(C_mfsm_D A (C jnfsm.ss = A SRDY)) => CM DO I 
(Cjnfsm.D A (C.mfsm.ss = A S ABORT)) => CMABT I CMD1 1 
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((C_mfsm_state = CM DO) => 

(C jnfsm_D A (C _mfsm_ss = A SRDY) A C_last_inJ => CMD1 1 
(C_mfsm_D A (C_mfsm_ss = A SRDY) A -C _last_in_) => CMW I 
(C_mfsm_D A (C _mfsm_ss = A S ABORT)) => CMABT I CMDO I 
((C_mfsm_state = CMW) => 

(C_mfsm_D A (C_mfsm_ss = A SABORT)) => CMABT I 
(C_mfsm_D A (C_mfsm_ss = A SACK) A C JockJn J => CMI I 

(C_mfsm_D A (C jnfsm_ss = A SRDY) A -C Jock_in_ A -C_mfsm_CTqt J => CMA3 I CMW I 
((-CJastJnJ => CMI I CMABT))))))))))) in 

let new_C_sfsm_state = 

((C_sfsm_rst) => CSI I 

(C_sfsm_state = CSI) -> 

~((C_sfsm_D A (C_sfsm_ms = A MSTART) A -c_grant A c_addressed) => CS A1 I CSI) I 
(C_sfsm_state = CSL) => 

((C_sfsm_D A (C_sfsm_ms = A MSTART) A ~c_grant A c_addressed) => CSA1 I 
(C_sfsm_D A (C_sfsm_ms = A M START) A ~c_grant A ~c_addressed) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) — > CSABT 1 CSL) I 
(C_sfsm_state = CSA1 ) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSAO 1 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSA1) \ 

(C_sfsm_state = CSAO) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ^_sfsm_hldaj => CS ALE I 
(C_sfsm_D A (C_sfsm jus = A MRDY) A C_sfsm_hldaJ => CSAOW I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAO) I 
(C_sfsm_state = CSAOW) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsm_hldaJ => CS ALE I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) — > CSABT I CSAOW) I 
(C_sfsm_state = CSALE) => 

((C_sfsm_D A c_write A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A ~c_wnte A (C_sfsm_ms = A MRDY)) => CSRR ! 

(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSALE) l 
(C_sfsm_state = CSRR) => 

((C_sfsm_D A ~{C_sfsm_ms = A M ABORT)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSRR) I 
(C_sfsm_state = CSD1) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSDO I 
(C_sfsm_D A (C_sfsm_ms - A MABORT)) => CSABT I CSD1) I 
(C_sfsm_state = CSDO) => 

((C_sfsm_D A (C_sfsm_ms = A MEND)) => CSACK I 
(C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSDO) I 
(C_sfsm_state = CSACK) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSL I 
(C_sfsm_D A (C_sfsm_ms = A MWATT)) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSACK) I 
(C_sfsm_D) => CSI 1 CSABT) in 

let new_C_efsm_state = 

((C_efsm_rst) => CEI I 

(C_efsm_state = CEI) => ((~C_efsm_caleJ => CEE I CEI) I 

e fsmjast_ A ~C_efsm_srdy_) V ~C_efsm_male_ V ~C_efsm_rale_) => CEI I CEE) in 

let mjw = (HM_be = (WORDN 15))) A M_wr A (-(M Jsm_state = MI))) in 
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let m_ww = ((M_be - (WORDN 15)) A M_wr A (~(M_fsm_state = MI))) in 
let new _ J M_fsm_state = 

((M_fsm_rst) => MI I 

((M_fsm_statc = MI) => ((~M_fsm_male_J => M A I MI) I 
((M_fsm_state = MA) => 

((~M_fsm _mrdy_ A m_ww) => MW I 

((“"M_fsm_mrdy_ A ((~M_wr A (~(M_fsm_state = MI))) V m_bw)) => MR I MA)) I 
((M_fsm_state = MR) => 

((m_bw A (M_count = (WORDN 0))) => MB W I 

((M_fsm_last_ A ~M_wr A (~(M_fsm_state = MI)) A (M_count = (WORDN 0))) => MA I 
((~M_fsm_last_ A ~M_wr A (~(M_fsm_state = MI)) A (M_count = (WORDN 0))) => MRR I MR))) I 
((M_fsm_state = MRR) => MI I 
((M_fsm_state = MW) => 

((~M_fsm Jast_ A (M_count = (WORDN 0))) => MI I 
((M JsmJast. A (M.count * (WORDN 0))) => MA I MW)) I 
((M_fsm_state = MBW) => MW I M_ILL))))))) in 

let new_R_fsm_state = 

((R_fsm_rst) => RI I 

((R_fsm_state = RI) => ((~R_fsm_ale_) => RA I RI) I 
((R_fsm_state = RA) => (( ~R_fsm_mrdy_) => RD I RA) I 
((~R_fsm_last J => RI I RA)))) in 
let r_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale_) in 
let r_fsm_srdy_ = ~((R_fsm_state = RA) A ~R_fsm_mrdy_) in 

let new_S_fsm_state = 

((S_fsm_rst) => S START I 
((S_fsm_state = SSTART) => SRA I 

((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO ! SPF) I SRA) I 
((S Jsm.state = SPF) => SC0I I 

((S _fsm_state = SC0I) => ((S_fsm_delayl7) => SC0F I SC0I) I 
((S_fsm_state = SC0F) => ST I 
((S_fsm_state = ST) => SC1I l 

((S_fsm_state = SC II) => ((Sjfsindclayl7) => SC1F I SC1I) I 
((S_fsm_state = SC IF) => SS I 

((S J«n_state = SS) => ((S Jsm.bothbad) => SSTOP I SCS) I 
((S_fsm_state = SSTOP) => SSTOP I 
((S_fsm_state = SCS) => ((S_fsm_delay6) => SN I SCS) I 
((S_fsm_state = SN) => ((S _fcm_delayl7) => SO I SN) I 
((S_fsm_state = SO) => SO I S JLL)))))))))))))) in 
let s_fsmjsn = (new_S_fsm_state = SN) in 
let s_fsm_so = (new_S_fsm_state = SO) in 

let reset_cport = (((~(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let s_fsm_sdi = (((-(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let reset_piu = ((new_S_fsm_state = SSTART) V (new_S_fsm_state = SRA) 

V (Dew_S_fsm_state = SC0F) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SC IF) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in 
let s_fsm_srcO - ((~(new_S_fsm_state = SPF)) A ( ~ (new_S_f sm_state = SC0I))) in 

let s_fsm_src 1 = ((~(new_S_fsm_state = ST)) A (~(new_S_fsm_state = SC II))) in 

let s_fsm_spf =s ((S_fsm_state = SRA) A S_fsm_delay6 A ~S_fsm_rst) in 

let s_fsm_scOf = (new_S_fsm_state = SCOF) in 

let s_fsm_sclf = (new_S_fsm_state = SC IF) in 

let s_fsm_spmf = ( new_S_fsm_state - SO) in 

let s_fsm_sb = (new_S_fsm_state = SSTART) in 
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let s_fsm_src = ((new_S_fsm_stale = SSTART) V ((S_fsm_state = SRA) A S_fcm_delay6) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC 1 F) 

V (new_S_fsm_state = SS) V ((S_fsm_state = SCS) A S_fsm_delay6)) in 

let s_fsm_sec = (((~(new_S_fsm_state = SSTOP)) A (~(ncw_S_fsm_state = SO))) V (S_fsm_state = SN)) in 
let s_fsm_srs = (((S_fsm_state = SPF) A -S_fsm_rst) V ((S_fsm_state = ST) A ~S_fsm_rst)) in 
let s_fsm_scs = (new_S_fsm_state = SCS) in 


let new_P_addr = ((~P_rqt) => (SUBARRAY L_ad_in (25,0)) I P_addr) in 
let new_P_destl = ((-P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in 
let new_P_be_ = ((~P_rqt) => L_be_ I P_be_) in 
let new_P_wr = ((~P_rqt) => L_wr I P_wr) in 


let new_P_size = 

((~P_rqt) => (SUB ARRAY L_ad_in (1.0)) I 
((P_down) => (DECN 1 P_size) I P_size)) in 
let new_C_holdA_ = ((ClkD) => C_bold_ I C_holdA_) in 

let i_cale_ = ~((new_C _mfsm_state = CM A3) A (new_P_fsm_state = PA) A new_C_boldA_) in 
let c_srdy_en = ((newj C_efsm_state — CEE) V (C_efsm_state = CEE)) in 
let new Jd_count = 

(((new_M_fsm_state = MA) V (new_M_fsm_state = MBW)) => ((M_se) => (WORDN 1) I (WORDN 2)) 
(((new_M_fsm_state = MW) V (new Jvl Jsm.state = MR)) => (DECN 2 M.count) I M_count)) in 
let m_rdy = (((new_M_fsm_state = MW) A (new_M_count = (WORDN 0))) 

V ((new_M_fsm_state = MR) A (new_M_count = (WORDN 0)) A ~M_wr)) in 
let m_srdy_ = ~((M_rdy A ~M_wr) V (m_rdy A M_wr)) in 

let ijrdy. = ((-i_cale_ V c_sidy_en) => ~(C_wrdy V C.rrdy V (new_C„mfsm_state = CMABT)) I 
~(new_M_fsm_state = MI) => m_srdy_ I 

((new_R_fsm_state = RA) V (new_R_fsm_state = RD)) => ~((R_fsm_state = RA) A 

fnew R fsm state = RD)) I ARB) in 


let p_ale = (~L_ads_ A L_den_) in 

let plsack = ((P.size = ((P_do wn) => (WORDN 1 ) I (WORDN 0))) A ~i_srdy_ A (new_P_fsm_state = PD)) in 
let new_P_rqt = 

((p_ale A -(p_sack V reset_j)iu)) => T I 
((~P_ale A (p_sack V reset_piu)) => F I 

((~p_ale A ~(p_sack V reset_piu)) => P_rqt I ARB))) in 

let new_P_down = (— i srdy_ A (new_P_fsm_state = PD)) in 

let new P_male_ = ((new_P_fsm_state = PA) => 

~(~new_P_destl A (-((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A new_P_rqt) I P.maleJ in 
let new_P_rale = ((new_P_fsm_state = PA) => 

-( -new_P_destl A ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) Anew_P_rqt) I P.raleJ in 
let new_P_lock_ = 

((reset_piu) => T I 

((new_P_fsm_state = PD) => L_lock_ I P _lock_)) in 
let new_P_lock_inh_ = 

((reset_piu) => T I 

((~new_P_male_ V -new_P_rale J => L_lock_ I P_lock_inhJ) in 
let pod31_27 = (M ALTER ARBN (31,27) new_P_beJ in 
let pod31_26 = (ALTER pod31_27 (26) F) in 

let pod31_24 = (MALTER pod31_26 (25,24) (SUBARRAY new_P_addf (1,0))) in 
let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del I C_iad_en_s_delA) in 

let new_C_sizewrbe = ((reset_cpoit) => (WORDN 0) I 

(((new_C_sfsm_state = CS AO) A C_clkA) => (SUB ARRAY C.datajn (3 1 ,22)) I C.sizewrbe)) in 

let c_new_write = (((~(new_C_mfsm_state = CMI)) A (~(new_C_mfsm_state = CMR))) => 

C_wr I (ELEMENT new_C_sizewrbe (5))) in 
let new_C_iad_out = ((C_cin_2_le) => C_daU_in I C_iad_out) in 
let r_reg_sel = ((-R_srdy_del J => (INCN 3 R_reg_sel) I R_reg_sel) in 
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let new_R_icr = 

((R_icr_load) => 

((~(r_reg_sel = (WORDN 1 ))) => (Andn rep (R_icr_old, R Jcr_mask)) I (Om rep (R_icr_old, R_icr_mask») I 
R_icr) in 

let new_R_busA_latch = 

((R_ctrO_irden) => R_ctrO_in I 
((R_ctiO_orden) => R_ctrO_out I 
((R_ctrl Jrden) => R_ctrl_in I 
((R_ctrl_ordeo) => R_ctrl_out I 
((R_ctr2_irden) => R_ctr2_in I 
((R_ctr2_orden) => R_ctr2_out I 
((R_ctr3_irden) => R_ctr3_in I 
((R_ctr3_orden) => R_ctr3_out I 
((R_icr_rden) => new_R_icr I 
((R_ccr_rden) => R_ccr I 
((R_gcr_rden) => R_gcr I 
((R_sr_rdeo) => R_sr I ARB)))))))))))) in 
let Lad « ((new_P_fsm_state = PA) => pod31_24 I 

((oew_P_fsm_state = PD) A new_P_wr) => L_ad_in I 
(new_C_iad_en_s_delA V 

((new_C_mfsm_state = CMD1) A ~c_new_write A c_srdy_en) V 
((new_C_mfsm_state = CMDO) A -c_Dew_write A c_srdy_en) V 

((new_C_mfsm_state = CMW) A (C_mfsm_state = CMDO) A ~c_new_write A c_srdy_en) V 
( ( new_C_sf sm^s tate = CSALE) A (~(C_sfsm_state = CS ALE))) V 
( ( new_C_sf sm_s tate = CSALE) A c_new_write) V 

( ( new_C_sf sm_s tate = CSD1) A c_new_ write A (~(C_sfsm_state = CSRR))) V 
((new_C_sfsm_state = CSDO) A c_new_write) V 
((new_C_sfsm_state = CSACK) A c_new_write)) => new_C_ia>d_out I 
(M_wr A -(new _M_fsm_state = MI)) => M _jd_data I 

(~R_wr A ((new_R_fsm_state = RA) V ( ne w_R_fsm_state = RD))) => new_R_busA_latch I ARB) in 
let disable_ writes - (( -(new_C_sfsm_state as CSI)) A ( -(new_C_sfsm_state = CSL)) A 
-((ChannellD = (WORDN 0)) A (ELEMENT C_source (6))) A 
-((ChannellD = (WORDN 1 )) A (ELEMENT C.source (7))) A 
-((ChannellD = (WORDN 2)) A (ELEMENT C.source (8))) A 
-((ChannellD = (WORDN 3)) A (ELEMENT C_source (9)))) in 

let i_rale_ = 

(~(new_PJsm_state = PH) => 

~(~new_P_destl A ((SUB ARRAY new_P_addr (25,24)) = (WORDN 3)) A (new_P_fsm_state = PA) A new_P_rqt) 
~((new_C_sfsm_state = CSALE) A ((SUB ARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) A C_clkA)) in 
let new_R_wr = ((-i_rale_) => (ELEMENT i_ad (27)) I R_wr) in 
let r_writeB = (-disable_writes A new_R_wr A ( new_R_f sm_s tate = RD)) in 
let r_readB = (~new_R_wr A (new_R_fsm_state = RA)) in 
let new_R_gcr = (( r_ write B A (r_reg_sel = (WORDN 2))) => Lad I R _gcr) in 
let new_R_gcr_rden = (i_readB A (r_reg_sel = (WORDN 2))) in 
let gcrl = (ELEMENT new_R_gcr (0)) in 
let gerh = (ELEMENT new_R_gcr (1)) in 
let reset_error = (ELEMENT new_R_gcr (24)) in 
let piu_in valid = (ELEMENT new_R_gcr (28)) in 

let couLseK) = (ALTER ARBN (0) ((( new_C_sf&m_state = CSD1) V (new_C_sfsm_state = CStX))) => 

( ne w_C_sfsm_state = CSD1) I 

(new_C_mfsm_state = CM A3) V (new_C_mfsm_state = CMA1) 

V (new_C_mfsm_state = CMD1))) in 
let c_cout_sel = (ALTER cout_selO (1) (((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSDO)) => 

FI 
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( new_C_mf sm_state = CMA3) V (new_C_mfsm_state - CM A2))) in 

let new_C_hold_ = (new_C_sfsm_state = CSI) in 
let new_C_wr = ((~i_cale_) => (ELEMENT i_ad (27)) I C_wr) in 
let new_C_clkA = ClkD in 
let i_last_ = 

(~(new_P_fsm_state = PH) => 

(P.size = ((P_down) => (WORDN 1) I (WORDN 0))) I 
C_last_out_) in 

let new_C_last_in_ = ((reset_cport) => F I 

(((new_C_mfsm_state = CMABT) V (new_C_mfsm_state = CMD1) A ClkD) => i_last_ I 
C_last_in_)) in 

let new C_lock_in_ = ((reset_cport) => F I 

((new_C_mfsm_state = CM A1 ) => ~(~new_P_lock_ A new JMockJnhJ I 

CJockJn J) in 

let new_C_ss = (((-(new_C_mfsm_state = CMABT)) A (-(new_C_mfsm_state = CMI))) => CB_ss_in I C_ss) in 
let new_C_last_out_ = 

(((new_C_sfsm_state = CSA1) A -(ClkD A ((CB_ms_in = A MEND) V (CB_ms_in = A M ABORT)))) => T I 
((~(new_C_sfsm_state = CSA1) A (ClkD A ((CB_ms_in = A MEND) V (CB_ms_in = A MABORT)))) => F I 
((~(new_C_sfsm_state = CSA1) A -(ClkD A ((CB_ms_in = A MEND) V (CB_ms_in = A MABORT)))) => C_last_out_ I 

ARB))) in 

let c_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = ((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state - CMA1 ) 

V (new_C_mfsm_state = CMAO) V (new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMDO)) in 
let c_dfsm_cad_en = ~((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMAO) 

V (new_C_mfsm_state = CMA2) 

V (c_new_write A ((new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMDO))) 

V (~c_new_write A ((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSDO)))) in 

let new_C_cout_0_le_del = ((i_cale_) V (i_srdy_ A -c_new_write) 

V ((new_C_mfsm_state = CMAO) A c_srdy A c_new_write A ClkD) 

V ((new_C_mfsm_state = CMDO) A c_new_write A c_srdy A ClkD)) in 
let new_C_cin_2_le = (ClkD A (((new_C_mfsm_state = CMDO) A c_srdy A -c_new_write) V 

((new_C_sfsm_state = CSAO)) V 
((new_C_sfsm_state = CSDO) A c_new_write))) in 

let new_C_mrdy_del_ = -((-c_new_write A ClkD A ((new_C_sfsm_state = CSALE) V (new_C_sfsm_state = CSD1 ))) V 
(~c_new_write A C_clkA A (new_C_sfsm_state = CSACK)) V 
(c_new_write A ClkD A (new_C_sfsm_state = CSDO))) in 
let new_C_iad_en_s_del = (((new_C_sfsm_state = CSALE) A ( -( C_sfsm_state = CSALE))) 

V ((new_C_sfsm_state = CSALE) A c_new_write) 

V ((new_C_sfsm_state = CSD1) A c_new_write A (-(C_sfsm_state = CSRR))) 

V ((new_C_sfsm_state = CSDO) A c_new_write) V 
((new_C_sfsm_state = CSACK) A c_new_write)) in 

let new_C_wrdy = (c_srdy A c_new_write A (new_C_mfsm_state = CMD1 ) A ClkD) in 
let new_C_ndy = (c_srdy A -c_new_write A (new_C_mfsm_state = CMDO) A ClkD) in 
let c_pe = (Par_Det rep (CB_ad_in)) in 

let c.mparity = ((new_C_mfsm_state = CM A3) V (new_C_mfsm_state = CM Al) V (new_C_mfstn_state = CMAO) 

V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMDO) 

V (C_mfsm_state = CMA1) V (C_mfsm_state = CMAO) V (C_mfsm_state = CMA2) 

V (C_mfsm_state = CMD1 )) in 

let c_sparity = ((~(new_C_sfsm_state = CSI)) A (~(new_C_sfsm_state = CSACK)) A (~(new_C_sfsm_state = CSABT))) in 
let c_pe_cnt = (ClkD A ((-(cjnparity = c_sparity)) V ((SUB ARRAY CB_ss_in (1.0)) = (WORDN 0)))) in 
let new_C_parity = 

(((ClkD A c_pe A c _pe_cnt) A -reset_error) => T I 
((-(ClkD A c_pe A c_pe_cnt) A reset_error) => F I 
((-(ClkD A c_pe A c_pe_cnt) A -reset_error) => C_parity I ARB))) in 
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let new_C_source = 

((reset_cport) => (WORDN 0) I 

((ClkD A ( ( new_C_sf sm_s tafce = CSI) V ( new_C_sf sm_state = CSL))) => Par_Dec rep (CB_ad_in) I C_source)) in 
let data_in31_16 = 

(MALTER ARBN (31,16) ((reset.cport) => (WORDN 0) I 

((ClkD A (((new_C_mfsm_state = CMD1) A c_srdy A -c_new_write) V 
(( new_C_sfsm_state = CSA1)) V 

((new_C_sfsm_state = CSD1) Ac_new_write))) => Par_Dec rep (CB_ad_m) I 
(SUBARRAY C_data_in (31,16))))) in 

let new_C_data_in = 

(MALTER data_m31_16 (15,0) ((reset_cport) => (WORDN 0) I 

((new_C_cm_2_le) -> Par_Dec rep (CB_ad_in) I 
(SUBARRAY C_data_in (15,0))))) in 
let new_C_iad_in = ((new_C_cout_0_le_del) => i_ad I C_iad_in) in 
let new_C_alaO = 

(((c_dfsm_master A C_cout_0_le_del) V 

(-c_dfem_master A C_clkA A (new_C_sfsm_state = CSD1))) => C_iad_in I C_alaO) in 
let new_C_a3a2 * ((new_C_mfsm_state = CMR) => R_ccr I C_a3a2) in 
let i_be_ = ((new_P_fsm_state = PA) => new_P_be_ I 

(new_P _fsm_state = PD) => L_be_ I SUBARRAY new_C_sizewrbe (9,6)) in 
let i_male_ = 

(-(new_P_fsm_state = PH) => 

-(-new_P_destl A (-((SUB ARRAY newJLaddr (25,24)) = (WORDN 3))) A (new_P_fsm_state = PA) A new _P_rqt) I 
-( (new_C_s fsm_state m CSALE) A (-((SUB ARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C_clkA)) in 
let new_M-.se = ((~i_male_) => (ELEMENT i_ad (23)) I M_se) in 
let new_M_wr = ((~i_male_) => (ELEMENT i_ad (27)) I M_wr) in 
let new_M_addr = 

((-LmaleJ => (SUBARRAY Lad (18,0)) I 
((M_rdy) => (INCN 18 M_addr) I M_addr)) in 
let new JAJbc = ((-i_male_ V -m_srdy_) => (NOTN 3 i_be_) I M_be) in 
let new_M_rdy = m_rdy in 

let new _M_wwdel = ((new _M„fsm„state = MA) A new_M_wr A (new_M_be = (WORDN 15))) in 
let new_M_rd_data = (((new_M_fsm_state = MR)) => (HamJDec rep MB_data_in) I M_rd_data) in 
let new_M_detect = 

((((new_M_fsm_state = MR) A -new _>l_wr) V new_M_wr V (new_M_fsm_state = MI)) => 

((-Edac_en_J => (Ham_Detl rep MB_data_in) I WORDN 0) I M_detect) in 
let m_error = (~m_srdy_ A ( ~(new_M_fsm_state = MI)) A Ham_Det2 rep (new_M_detect, -Edac_en_)) in 
let new_M_parity = 

((m_error A -(reset_piu V reset_error)) => T I 
((-m_error A (reset_piu V reset_error)) => F I 
((-m_error A -(reset^piu V reset_error)) => M_parity I ARB))) in 
let new_R_cntlatch_deI = r_fsm_cntlatch in 
let new_R_srdy_del_ = r_fsm_srdy_ in 
let new R reg sel = 

((-i_rale_) => (SUBARRAY i_ad (3,0)) I 
((-R_srdy_del_) => (INCN 3 R_reg_sel) I R_reg_sel)) in 
let rewrite A = (-disable^ writes A R_wr A (oew_R_fsm_state = RD)) in 
let r_readA - (~R_wr A (new_R_fsm_state = RA)) in 

let r_cir_wi01A = ((rjwriteA A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in 
let r_cir_wi01B = ((r_writeB A ((r_reg_sel « (WORDN 8)) V (r _reg_sel = (WORDN 9))))) in 
let r_cir_wr23A = ((r_writeA A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in 
let r_cir_wr23B = ((r_writeB A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in 
let new_R_ccr = ((r_writeB A (r _reg_sel = (WORDN 3))) => i_ad I R_ccr) in 
let new R ccr_rden = (r_readB A (r_reg_sel = (WORDN 3))) in 
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let new_R_c01_cout_del = R_ctrl_cry in 
let new_R_intl_en = 

((((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_£cr (17)) A R_c01_cout_del))) => T I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => F I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => R_intl_en I ARB))) in 
let new_R_c 23 _cou t_de 1 = R_ctr3_cry in 
let new_R_mt2_en = 

((((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21 )) A R_c23_cout_del))) => T I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => F I 
((-((ELEMENT new_R_gcr (22)) A (r_cii_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => R_int2_en I ARB))) in 
let new_R_ctrO_in = ((r_writeB A (r_reg_sel = (WORDN 8))) => i_ad I R_c(iO_in) in 
let new_R_ctrO_mux_sel = (r_cii_wi01B V ((ELEMENT new_R_gcr (16)) AR_ctrl_cry)) in 
let new_R_ctrO_irden = (r_readB A (r_reg_sel = (WORDN 8))) in 
let new_R_ctrO = ((R_ctiO_mux_sel) => R_ctrO_in I R_ctiO_new) in 
let new_R_ctiO_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_ctrO) I R_ctrO) in 
let newjTctrO_cry = ((ONES 3 1 R_ctiO) A (ELEMENT new_R_gcr (19))) in 
let new_R_ctrO_out = ((i_fsm_cntlatch) => R_ctrO_new I R_cbO_out) in 
let new_RlctrO_orden = (r_readB A (r_reg_sel = (WORDN 12))) in 
let new_R_ctrl_in = ((r_writeB A (r_reg_sel = (WORDN 9))) => Lad I R.ctrl Jn) in 
let new_R_ctr l_mux_sel = (r_cir_wi01B V ((ELEMENT new_R_gcr (16)) A R_ctrl_cry)) in 
let new_R_ctrl_irden = (r_readB A (r_reg_sel = (WORDN 9))) in 
let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl Jn I R_ctxl_new) in 
let new_R_ctrl_new = ((R_ctiO_cry) => (INCN 31 R_ctrl) I R_ctrl) in 
let new_R_ctrl_cry = ((ONES 31 R_ctrl) A R_ctrO_cry) in 
let new_R_ctrl_out = ((R_cntlatch_del) => R_ctrl_new I R_ctrl_out) in 
let new_R_ctrl_orden = (r_readB A (r_reg_sel = (WORDN 13))) in 
let new_R_ctr2_in = ((r_writeB A (r_reg_sel = (WORDN 10))) => i_ad I R_ctr2_in) in 
let new_R_ctr2_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) AR_ctr3_ciy))) in 
let new_R_ctr2_irden = (r_readB A (r_reg_sel = (WORDN 10))) in 
let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in I R_cti2_new) in 
let newjTctr2_new = (((ELEMENT new_R_gcr (23))) => (INCN 31 R_ctr2) I R_ctr2) in 
let new_R_ctr2_cry = ((ONES 31 R_ctr2) A (ELEMENT new_R_gcr (23))) in 
let new_R_ctr2_out = ((r_fsm_cntlatch) => R_ctr2_new I R_ctr2_out) in 
let new_R_ctr2_orden = (r_readB A (r_reg_sel = (WORDN 14))) in 
let new_R_ctr3_in = ((r_writeB A (r_reg_sel = (WORDN 11))) => i_ad I R_ctr3_in) in 
let new_R_ctr3_mux_sel = ((r_cir_wrt3B V ((ELEMENT new_R_gcr (20)) A R_ctr3_cry))) in 
let new_R_ctr3_iiden = (r_readB A (r_reg_sel = (WORDN 11))) in 
let new_R_ctx3 = ((R_ctr3_mux_sel) => R_ctr3_in I R_ctx3_new) in 
let new_R_ctr3_new = ((R_ctr2_ciy) => (INCN 31 R_cti3) I R_ctr3) in 
let new_R_ctr3_cry = ((ONES 31 R_ctr3) A R_ctr3_cry) in 
let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new I R_ctr3_out) in 
let new_R_ctr3_orden = (r_readB A (r_reg_sel = (WORDN 15))) in 

let new_R_icr_load = (r.writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let new_R_icr_old = 

((r.writeB A ((r_re^_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => R.tcr I R Jcr_old) in 
let ne w_R_icr_m ask = 

((r_writeB A ((r_re^_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => i_ad I R_icr_mask) in 
let new_R_icr_rden = ((new_R_fsm_state = RA) A ((r_reg_sel = (WORDN 0)) V (r_ieg_sel = (WORDN 1)))) in 
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let r_intO_en = (((ELEMENT RJcr (0)) A (ELEMENT R Jcr (8))) V 
((ELEMENT R_icr (1 )) A (ELEMENT R Jcr (9))) V 
((ELEMENT R Jcr (2)) A (ELEMENT R Jcr (10))) V 
((ELEMENT RJcr (3)) A (ELEMENT RJcr (11))) V 
((ELEMENT RJcr (4)) A (ELEMENT RJcr (12))) V 
((ELEMENT RJcr (5)) A (ELEMENT RJcr (13))) V 
((ELEMENT RJcr (6)) A (ELEMENT RJcr (14))) V 
((ELEMENT RJcr (7)) A (ELEMENT RJcr (15)))) in 
let ncw_R_intO_dis = rjnt0_en in 

let r Jnt3_en = (((ELEMENT RJcr (16)) A (ELEMENT RJcr (24))) V 
((ELEMENT RJcr (17)) A (ELEMENT RJcr (25))) V 
((ELEMENT RJcr (18)) A (ELEMENT RJcr (26))) V 
((ELEMENT RJcr (19)) A (ELEMENT RJcr (27))) V 
((ELEMENT RJcr (20)) A (ELEMENT RJcr (28))) V 
((ELEMENT RJcr (21)) A (ELEMENT RJcr (29))) V 
((ELEMENT RJcr (22)) A (ELEMENT RJcr (30))) V 
((ELEMENT RJcr (23)) A (ELEMENT RJcr (31)))) in 
let new_R_int3_dis = rjnt3_en in 

let new_S_soft_shot_del = (~gcrh A gcrl) in 
let s_soft_cnt_out - 

((s_fsm_srs) => 

((gcrl A -gcrb A ~S_soft_shot_del) => (WORDN 1) I (WORDN 0)) I 
((gcrl A -gcrfa A ~S_soft_shot_del) => (INCN 2 S_soft_cnt) I S_soft_cnt)) in 
let new_S_soft_cnt = ((— gCTh A -gcrl) => (WORDN 0) I s_soft_cnt_out) in 
let s_delay_out = 

((s Jsm_src V (s_fsm_scs A (ELEMENT S_delay (6)))) => 

((sjsrn_sec) => (WORDN 1) I (WORDN 0)) I 
((sjsm_sec) => (INCN 17 S_delay) I S_delay)) in 
let new_S_delay = s_delay_out in 

let s_cpuO_ok = (sjsm_sc0f A FailureO_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpul_ok = (s Jsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 
let new_S_jpmm Jail = 

((s Jsm_sb A ~s_fsm„spmf) => T i 
((~sjsm_sb A s_fsm_spmf) => F I 
((-s_fsm_sb A -sjsm_spmf) => S_pmm_fail I ARB))) in 
let new_S_cpuO Jail * 

((s Jsm_sb A ~(s_cpuO_ok V Bypass)) => T I 
((-sjsm_sb A (s_cpuO_ok V Bypass)) => F I 
((-sjsm_sb A ~(s_cpuO_ok V Bypass)) => S_cpuOJail I ARB))) in 
let new_S_cpul Jail = 

((sjsm_sb A ~(s_cpul_ok V Bypass)) => T I 
((-s Jsm_sb A (s_cpul_ok V Bypass)) => F I 
((-sjsm_sb A -(s_cpul_ok V Bypass)) => S_cpul Jail I ARB))) in 
let new_S_piuJail = 

((s_fsm_sb A -(s Jsm_spf V Bypass)) => T I 
((-sjsm_sb A (sjsm_spf V Bypass)) => F I 
((~sjsm_sb A ~(sjsm_spf V Bypass)) => S_piu Jail I ARB))) in 
let s_cpuO_select = ((sjsm_sn V sJsm_so) A -S_cpuOJail) in 
let s_cpul_select = ((sjsm_sn V sJsm_so) A S_cpuOJail A -S_cpul Jail) in 
let new_S _bad_cpuO = 

((s Jsm_sb A -s_cpuO_select) => T 1 
((-sjsm_sb A s_cpuO_select) => F I 
((-s Jsm_sb A -s_cpuO_select) => S_bad_cpuO l ARB))) in 
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letnewJS_bad_cpul = 

((s_fsm_sb A ~s_cpul_select) => T I 
((~s_fsm_sb A s_cpul_s elect) => F I 
((~s Jsmjsb A ~s_cpul_select) -> S_bad_cpul I ARB))) in 
let new_S_reset_cpuO » (new_S _bad_cpuO A s_fsm_srcO) in 
let new_S_reset_cpu 1 = (new_S_bad_cpul A s_fsm_srcl ) in 
let new_S_cpu Jiist = (S_reset_cpuO A S_reset_cpul A Bypass) in 
let ssO = (ALTER ARBN (0) ((new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) 

V (new_S_fsm_state = SCS) V (oew_S_fsm_state = SN) 

V (new_S_fsm_state = SO))) in 

let ssl = (ALTER ssO (1) ((oew_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (oew_S_fsm_state — SC1I) V (oew_S_fsm_state = SC1F) 

V (new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) 

V (new_S_fsm_state = SCS))) in 

let ss2 = (ALTER ssl (2) ((new_S_fsm_state = SPF) V (new_S_fsm_state = SCOT) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SO))) in 
let ss3 = (ALTER ss2 (3) ((new_S_fsm_state = SRA) V (new_S_fsm_state = SPF) 

V (new_S_fsm_state = ST) V (new_S_fsm_state = SC II) 

V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) 

V (new_S_fsm_state = SO))) in 

let s_state = ss3 in 

let sr28 = (ALTER ARBN (28) new_M_parity) in 

let sr28_25 = (M ALTER sr28 (27,25) new_C_ss) in 

let sr28_24 = (ALTER sr28_25 (24) new_C_parity) in 

let si28_22 = (MALTER sr28_24 (23,22) ChannellD) in 

let sr28_16 = (MALTER sr28_22 (21,16) Id) in 

let sr28_12 = (MALTER sr28_16 (15,12) s_state) in 

let sr28_9 = (ALTER sr28_12 (9) new_S_pmm_fail) in 

let sr28_8 = (ALTER sr28_9 (8) new_S_piu_fail) in 

let sr28_3 = (ALTER sr28_8 (3) new_Sjeset_cpul) in 

let sr28_2 = (ALTER sr28_3 (2) new_S_reset_cpuO) in 

let sr28_l = (ALTER sr28_2 (1) new_S_cpul_fail) in 

let si28_0 = (ALTER sr28_l (0) new_S_cpuO_fail) in 

let new_R_sr = ((r_fsm_cntlatch) => sr28_0 1 R_sr) in 

let new_R_sr_rden = (r_readB A (r_reg_sel = (WORDN 4))) in 

let new_P_fsm_rst = reset_piu in 
let new_P_fsm_sack = p_sack in 

let new_P_fsm_cgnt_ = ~{new_C_mfsm_state = CM A3) in 

let new_P_fsm_hold_ = new_C_h°WA_ in 

let new_C_mfsm_D = ClkD in 

let new_C_mfsm_rst = reset_cport in 

let new_C_mfsm_crqt_ = ~(new_P_destl A new_P_rqt) in 

let new_C_mf sm_hold_ = new_C_holdA_ in 

let new_C_mfsm_ss = CB_ss_in in 

let new_C_mfsm_in valid = pi u_in valid in 

let new_C_sfsm_D = ClkD in 

let new_C_sfsm_rst = reset_cport in 

let new_C_sfsm_hlda_ = ~(new_P_fsm_state = PH) in 

let new_C_sfsm_ms = CB_ms_in in 

let new_C_efsm_cale_ = i_cale_ in 

let new_C_efsm_last_ = i_last_ in 

let new_C_efsm_male_ = i_male_ in 
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let new_C_efsm_rale_ = i_rale_ in 
let new_C_efsm_srdy_ = i_srdy_ in 
let new_C_efsm_rst = reset_cport in 
let new_M_fsm_m ale_ = i_male_ in 
let new_M_fsm_last_ = i_last_ in 

let new_M_fsm_nutiy_ = ((~(P_fsm_ state = PH)) => F I C_mrdy_delJ in 
let new _M_fsm _jst = reset^piu in 
let new_R_fsm_ale_ = i_rale_ in 

let new_R_fsm_mrdy_ = ((~(P_fsm_state = PH)) => F I C_mrdy_del_) in 
let new_R_fsm_last_ = i Jast_ in 
let new_R_fsm_rst = reset_piu in 
let new_S_fsm_rst = Rst in 

let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in 

let new_S_fsm_delay 1 7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in 
let new_S_fsm_bothbad = (new_S_cpuO_fail A new_S_cpul_fail) in 
let new_S_fsm_bypass = Bypass in 

(new_P_addr, new_P_destl , new_P_be_, new_P_wr, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_sack t 
new_P_fsm_cgnt_, new_P_fsm_hold_, new_P_rqt, new_P_size, new_P_down, new_P_lock_, new_P_lock_mh_, 
new_P_male_, new_P_rale_, 

new_C_jnfsm_state, new_C_mfsm_D, new_C_infsm_rst, new_C_mfsm_crqt_, new_C_mf sm_ho ld_ , new_C _jnfsm_ss, 
new_C_mfsm_in valid, new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_rst, new_C_sfsm_hlda_, new_C_s fsm_ms , 
new_C_efsm_state, new_C_efsm_cale_, new_C_efsm_last_, new_C_efsm_male_, new_C_efsm_rale_, ne w_C_ef sm_srd y _ 
new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C_clkA, new_C_last_in_, new_C_lock_in_, new_C_ss, 
new_C_Jas t_out_, new_C_bold_, new_C_holdA_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_, 
new_C_iad_en_s_del , new_C_iad_en_s_delA, new_C_wrdy, new_C jrdy, new_C_parity, new_C_source, new_C_data_in, 
new_C_iad_out, new_C_iad_in, new_C_alaG, new_C_a3a2, 

new_M_fsm_state, new_M_fsm_male_, new_M_fsm_last_, new_M_fsm_mrdy_, ne w_M_fsm_rs t, new _M_count, 
new_M_se, new_M_wr, new_M_addr, oew_M_be, Dew_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, 
new_M_detect, 

new_R_fsm_state, new_R_fsm_ale_, new_R_fsm_midy_, new_R_fsm_last_, new_R_fsm_ret, new_R_ctrO_in, 
new_R_ctrO_mux_sel, new_R_ctrO, new_R_ctrO_irden , new_R_ctiO_new, new_R_ctrO_cry, new_R_ctrO_o ut, 
new_R_ctrO_orden, new_R_ctrl_in, new_R_ctxl_mux_sel, new_R_ctrl, new_R_ctr 1 _irden , new_R_ctrl_new, 
new_R_ctrl_cry, 

new_R_ctrl_out, ne w_R_ctr 1 _ordeo , new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2, new_R_ctr2_irden , 
new_R_ctr2_new, 

new_R_ctr2_cry, new_R_ctr2_out, new„R_ctr2_ordeo, new_R_ctr3_in, ne w_R_ctr3_mux_sel , new_R_ctr3, 
new_R_c tr3 _irden , 

new_R__ctr3_new, new_R_ctr3_cry, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr Joad, new_R_icr_old, 
new_R_icr_mask, 

new_R_icr_rden, new_R_icr, new_R_ccr, new_R_ccr_rden, new_R_gcr, new R gey rden , new_R_sr, new_R_srjrden, 
new_R_intO_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_intl_en, new_R_c23_cout_del, new_R_int2_en, 
new_R_wr, 

new_R_cntlatch_del, Dew_R_srdy_del_ > new_R_reg_sel, ne w_R_bus A_latch, 
new_S_fsm_state, new_S_fsm_rst, new_S_f sm_delay 6 , new_S_fsm_delay 17, new_S_fsm_botbbad, 
new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpuO, new_S_bad_cpul, 
new_S_reset_cpuO, new_S_reset_cpul, new_S_cpu_hist, new_S_pmm_fail, new_S_cpuO_fail , ne w_S_cpu 1 _f ail , 
new_S_piu_fail)” 

);; 


Output definition for EXEC instruction. 

% 
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let piuEXEC_out_def = new_defmition 
( 4 piuEXEC_out\ 

“I (repi'Vep^ty) 

(P_fsm_state :pfsm_ty) 

(P_addr P_be_ P_size :wordn) 

(P_destl P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ 

P_lock_inh_ P_male_ P_rale_ :bool) 

(C__mfsm_state :cmfsm Jy) (C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty) 

(C_mfsm_ss C_sfsm_ms C.sizewrbe C_ss C_source C_data_in C _iad_out C_iad_in C_alaO C_a3a2 :wordn) 
(C_mfsm_D C_mfsm_rst C_mfsm_crqt_ C_mfsm_hold_ C_mfsm_mvalid C_sf$m_D C_sfsm_rst C_sfsm_hlda_ 
C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst 
C_wr C clkA CJast_in_ CJockJn_ C Jast_out_ C_bold_ C_holdA_ C_cout_0_le_del C_cin_2 Je 
C_midy_del_ C_iad_en_s_del CJad_en_s_delA C_wrdy C_rrdy Charity :bool) 

(M_fsm_state :mfsm_ty) 

(M_count M_addr M _be M_rd_data M_detect :wordn) 

(M_fsm_male_ M_fsm _last_ M_fsm_mrdy_ M Jsm.rst M_se M_wr M_rdy M_wwdel M_panty :bool) 

(R_fsm_state :rfsm_ty) 

(R_ctiO_in R_ctrO R_ctrO_new R_ctrO_out R_ctrl_in R_ctrl R_ctrl_new R_ctrl_out R_ctr2_in R_cb2 R_ctr2_new 
R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R Jcr.mask RJcr R_ccr R_gcr R_sr 
R_reg_sel R_busAJatch :wordn) 

(R_fsm_ale_ R_fsm_mrdy_ R_fsm _last_ R_fsm_rst R_ctiO_mux_sel R_ctrO_irden R_cbO_cry R_ctiO_orden 
R ctrl_mux_sel R_ctrl Jrden R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctc2_orden 
R~ctr3_mux sel R_ctr3 Jrden R_ctr3_cry R_ctr3_orden RJcr .load RJcrjden R_ccr_rden R_gcr_rden R_sr_rden 
R_intO_dis RJnt3_dis R_c01_cout_del R Jntl_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ :bool) 
(S_fsm_state :sfsm_ty) 

(S_soft cot S_delay :wordn) 

(S_fsm_rst S_fsm_delay6 S_fsm_delayl7 SJsm_bothbad S_fsm_bypass S_sofl_shot_del S_bad_cpuO S_bad_cpul 
S_reset_cpuO S_reset_cpul S_cpu_hist S_pmm_fail S_cpuO_fail S_cpul Jail Sjpiu_fail :bool) 

(L_ad_in L_be_ :wordn) 

(ClkA ClkB Rst L_ads_ L_den_ L_wr LJock_ :bool) 

(CB_rqt_in_ CB_ad Jn CB_ms_in CB_ss_in Id CbannellD :wordn) 

(ClkD :bool) 

(MB_dataJn :wordn) 

(Edac_eo_ :bool) 

(Bypass Test FailureO_ Failurel_ :bool) . 
piuEXEC_out rep 

(P_addr, P_destl, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, PJsm_cgnt_, P_fsm_hold_, 
p_rqt, P_size, P_dowo, PJock_, PJock_inh_, P_male_, P_rale_* 

C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_in valid, 
C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, 

C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, 

C_wr, C_sizewrbe, C_clkA, CJast_in_, CJock_in_, C_ss, CJast_out_, 

C_hold_, C_holdA_, C_cout_OJe_del, C_cin_2Je, C_mrdy_del_, CJad_en_s_del, CJad_en_s_delA, 

C_wrdy, C_rrdy, C_parity, C_source, C_datajn, CJad_out, CJadJn, C_alaO,C_a3a2, 

M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_ J M_fsm_rst, M_count, M_se, M_wr, M_addr, 

M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect, 

R_fsm_state, R_fsm_ale_. R_fsm_mrdy_, R_fsmjast_, RJsmjst, R.ctrOJn, R_ctrO_mux_sel, R_ctiO, 
R_ctrO_irden, R_ctrO_new, R_ctrO_cry, R_ctiO_out, R_cbO_orden, R_ctrl Jn, R_ctrl_mux_sel, 

R_ctrl, R_ctrl_iiden, R_ctrl_new, R_ctrl_cry, R_ctrl_out, R_ctrl_orden, R_ctr2Jn, R_ctx2_jnux_sel, 

R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel. 

R_ctr3, R_ctr3 Jrden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_clr3_orden, RJcrJoad, RJcr_old, 

RJcr_mask, RJcr_rden, RJcr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R JntO_dis, 
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R_int3_dis, R_c01_cout.de!, R.intl.en, R_c23_cout_del, R_int2_.cn, R_wr, R_cntlatch_dcl, R.srdy.del. 
R_rcg_scl, R.busA.latch, 

S.fsm.state, S_fsm_rst, S.fsm.delayb, S_fsm_delayl7, S_fsm_bothbad, SJsm.bypass, S.soft.shot.del, 
S_soft.cn t, S.delay, S.bad.cpuO, S_bad_cpul, S_rcset_cpuO, S.reset.cpu 1 , S.cpu.hist, S_pmm_fail, 
S.cpuO.fail, S.cpul.fail, S_piu_fail) 

(ClkA, ClkB, Rst, L.ad.in, L.ads., L.den., L_be_, L_wr, L_lock_, 

CB.rqt.in_, CB.ad.in, CB_ms_in, CB.ss.in, ClkD, Id, CbanneUD, 

MB.data.in, Edac.en., 

Bypass, Test, FailureO., Fail ure 1_) = 


let new.P.fsm.state = 

((P.fsm.rst) => PA I 

((P.fsm.state = PH) => ((-P.fsm .hold.) => PH I PA) I 
((P_fsm_state = PA) => 

(((P.rqt A -P.destl) V (P.rqt A P_destl A ~P.fsm.cgnt.)) => PD I 
((~P.fsm.ho Id. A P.lockJ => PH I PA)) I 
((P.fsm.state = PD) => 

(((P.fsm.sack A P.fsm.hold.) V (P_fsm_sack A -P.fsm.hold. A -P.lockJ) => PA I 
((P.fsm.sack A -P.fsm.hold. A P Jock.) => PH I PD)) I P JLL)))) in 

let c.write = (((-(C.mfsm.state = CMI)) A (-(C.mfsm.state = CMR))) => C.wr I (ELEMENT C.sizewrbe (5))) in 

let c.busy = (-((SUB ARRAY CB.rqtJn. (3,1)) = (WORDN 7))) in 

let errant = ((((SUB ARRAY Id (1,0)) * (WORDN 0)) A -(ELEMENT CB.rqtJn. (0))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CB.rqtJn. (1))) 

V (((SUB ARRAY Id (1 ,0)) = (WORDN 2)) A -(ELEMENT CB_rqt_in_ (0)) 

A (ELEMENT CB.rqt.in_ (1)) 

A (ELEMENT CB.iqt.in. (2))) 

V (((SUB ARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB.iqt.in. (0)) 

A (ELEMENT CB.rqtJn. (1 )) 

A (ELEMENT CB.rqtJn. (2)) 

A (ELEMENT CB.iqt.in. (3)))) in 
let c.addressed = (Id = (SUBARRAY C.source (15,10))) in 
let new.C.mfsm.state = 

((C.mfsm.rst) => CMI I 
((C.mfsm.state = CMI) => 

(C.mfsm.D A -C.mfsm.crqt. A -c.busy A -C.mfsm.invalid) => CMR I CMI I 
((C.mfsm.state = CMR) => (C.mfsm.D A c .grant A C.mfsm.hold.) => CM A3 I CMR I 
((C.mfsm.state = CM A3) => ((C.mfsm.D) => CMA1 I CMA3) I 
((C.mfsm.state = CMA1) => 

(C.mfsm.D A (C.mfsm.ss = A SRDY)) => CM AO I 
(C jnfsm.D A (C .jnfsm.ss = A SABORT)) => CMABT I CMA1 1 
((C.mfsm.state = CMAO) => 

(C.mfsm.D A (C _jnfsm_s$ = A SRDY)) => CM A2 1 
(C jnfsm.D A (C jnfsm.ss = A S ABORT)) => CMABT I CMAO I 
((C.mfsm.state = CMA2) => 

(C jnfsm.D A (C jnfsm.ss = A SRDY)) => CMD1 1 
(Cjnfsm.D A (C jnfsm.ss = A SABORT)) => CMABT I CMA2 1 
((C.mfsm.state = CMD1) => 

(Cjnfsm.D A (C jnfsm.ss = A SRDY)) => CM DO I 
(C.mfsm.D A (C jnfsm.ss = A S ABORT)) => CMABT I CMD1 ! 

((C.mfsm.state = CM DO) => 

(C_mfsm_D A (C .mfsm.ss = A SRDY) A C Jast.in.) => CMD1 1 
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(C_mfsm_D A (C_mfsm_ss = A SRDY) A ~C_last_inJ => CMW I 
(C_mfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I CMDO I 
((C_mfsm_state - CMW) => 

(Cjnfsm_D A (C_mfsm_ss = A S ABORT)) => CMABT I 
(C_mfsm_D A (C_mfsm_ss = A SACK) A C JockJn J => CMI I 

(C_mfsm_D A (Cmfsmj* = A SRDY) A -C_lock_in_ A -C_mfsm_crqtJ => CMA3 I CMW I 
((-CJastJnJ => CMI I CMABT))))))))))) in 

let new_C_sfsm_state = 

((C_sfsm_rst) => CSI I 

(C_sfsm_state = CSI) => 

((C_sfsm_D A (C_sfsm_ms = A MSTART) A ~c_grant A c_addressed) => CS A1 I CSI) I 
(C_sfsm_state = CSL) => 

((C_sfsm_D A (C_sfsm_ms = A MSTART) A ~c_grant A c.addressed) => CSA1 1 
(C_sfsm_D A (C_sfsm_ms = A MSTART) A -c_grant A -c_addressed) => CSI I 
(C_sfsm_D A (C_sfsm _jns = A MABORT)) => CSABT I CSL) I 
(C_sfsm_state = CS Al) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSAO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAI) I 
(C_sfsm_state = CSAO) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A ~C_sfsmJildaJ => CSALE 1 
(C_sfsm_D A (C_sfsm _ms » A MRDY) A C_sfsm_hldaJ => CS AOW I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAO) I 
(C_sfsm_state = CSAOW) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY) A -C_sfsm_hlda_) => CSALE I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSAOW) I 
(C_sfsm_state = CSALE) => 

((C_sfsm_D A c_write A (C_sfsm_ms = A MRDY)) => CSD1 I 
(C_sfsm_D A ~c_write A (C_sfsm_ms = A MRDY)) => CSRR I 
(C_sfsm_D A (C_sfsm_ras = A M ABORT)) -> CSABT I CSALE) I 
(C_sfsm_state = CSRR) => 

((C_sfsm_D A ~(C_sfsm„ms = A M ABORT)) => CSD1 I 
(C_sfsm_D A (C_sfsm_ms = A M ABORT)) => CSABT I CSRR) I 
(C_sfsm_state = CSD1) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSDO I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSD1) I 
(C_sfsm_state = CSDO) => 

((C_sfsm_D A (C_sfsm_ms = A MEND)) => CSACK I 
(C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSD1 i 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSDO) I 
(C_sfsm_state = CSACK) => 

((C_sfsm_D A (C_sfsm_ms = A MRDY)) => CSL I 
(C_sfsm_D A (C_sfsm_ms = A MWAIT)) => CSI I 
(C_sfsm_D A (C_sfsm_ms = A MABORT)) => CSABT I CSACK) I 
(C_sfsm_D) => CSI I CSABT) in 

let new_C_efsm_state = 

((C_efsm_rst) => CEI I 

(C_efsm_state = CEI) => ((^efsm.cale.) => CEE I CEI) I 

((-C_efsm_last_ A -C_efsm_srdy_) V -C_efsm_male_ V -C_efcm_rale J => CEI I CEE) in 

let m_bw = (HM_be = (WORDN 15))) A M_wr A (-(M_fsm_state = MI))) in 
let m_ww = ((M_be = (WORDN 15)) A M_wt A (~(M_fsm_state = MI))) in 
let new_M_fsm_state = 
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((M_fsm_rst) => MI I 

((M_fsm_stafce = MI) => ((~M_fsm_male_) => M A I MI) I 
((M_fsm_stafce = MA) => 

((~M_fsm_mrdy_ A m_ww) => MW I 

((-M_fsm _mrdy_ A ((~M_wr A (~(M_fsm_state = MI))) V m_bw)) => MR I MA)) I 
((M_fsm_state = MR) => 

((m_bw A (M.count = (WORDN 0))) => MBW I 

((M_fsm_last_ A ~M_wr A (~(M_fsm_state = MI)) A (M_count = (WORDN 0))) => MA I 
((~M_fsm_last_ A ~M_wr A (~(M_fsm_staie = MI)) A (M_count = (WORDN 0))) => MRR i MR))) 
((M_fsm_state = MRR) => MI I 
((M_fsm^state = MW) => 

((~M_fsm Jast__ A (M_count = (WORDN 0))) => MI I 
((M_fsm_last_ A (M_count = (WORDN 0))) => MA I MW)) I 
((M_fsm_state = MBW) => MW I M_ILL))))))) in 

let ne w_R_f sm_s tate = 

((R_fsm_rst) => RI I 

((R_fsm_state = RI) => ((~R_fsm_ale_J => RA I RI) I 
((R_fsm_state = RA) => ((~R_fsm_mrdy__) => RD I RA) 1 
((-R_fsm_lastJ => RI I RA)))) in 
let r_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale_) in 
let r_fsm_srdy_ = ~((R_fsm_state = RA) A ~R_fsm joaidy J in 

let new_S_fsm_state = 

((SJsm.rst) => S START I 
((S_fsm_state = S START) => SRA I 

((S_fsm_state = SRA) => ((S__fsm_delay6) => ((S_fsm_bypass) => SO I SPF) I SRA) I 
((S_fsm_state = SPF) => SC0I i 

((S_fsm_state = SC0I) => ((S_fsm_ddayl7) => SC0F I SC0I) I 
((S_fsm_state = SC OF) => ST I 
((S_fsm_state = ST) => SC II I 

((S_fsm_state = SC1I) => ((S_fsm_delayl7) => SC1F I SC1I) I 
((S_fsm_state = SC IF) => SS I 

((S_fsm_$tate = SS) => ((S_fsm_botbbad) => SSTOP I SCS) I 
((S_fsm_state = SSTOP) => SSTOP I 
((S_fsm_state » SCS) => ((S_fsm_delay6) => SN I SCS) I 
((S Jsm.state = SN) => ((S Jsm_delayl7) => SO I SN) I 
((S_fsm_state = SO) => SO I S JLL)))))))))))))) in 
let s_fsm_sn = (new_S_fsm_state = SN) in 
let s_fsm_so = (ne w_S_fsm_s tate = SO) in 

let reset_cport = (((~(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let s_f&m_sdi = (((~(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in 
let reset_piu = ((new_S_fsm_state = SSTART) V (new_S_fem_state = SRA) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SC IF) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in 
let s_fsm_src0 = ((~(new_S_fsni_state = SPF)) A ( ~(new_S_fsm_state = SC0I))) in 

let s_fsm_srcl = ((~{new_S_fsm_state = ST)) A (~(new_S_fsm_state = SC II))) in 

let s_fsm_spf = ((S_fsm_state = SRA) A S_fsm_delay6 A ~S_fsm_rst) in 

let s_fsm_scOf = (new_S_fsm_state = SCOF) in 

let s_fsm_sclf = (new_S_fsm_state = SC IF) in 

let s_fsm_spmf = ( n ew_S_fsm_state = SO) in 

let s_fsm_sb = (new_S_fsm_state = SSTART) in 

let s_fsm_src = ((new_S_fsm_state = SSTART) V ((S_fsm_state = SRA) A S_fsm_delay6) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V ( ne w_S_f sm_> tate = SC IF) 
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V (new_S_fsm_state = SS) V ((S_fsm_state = SCS) A S_fsm_dday6)) in 
let s_fsm_sec = (((-(new_S_fsm_state = SSTOP)) A (-(new_S_fsm_state = SO))) V (S_fsm_state = SN)) in 
let s_fsm_srs = (((S_fsm_state = SPF) A ~S_fsm_rst) V ((S_fsm_state = ST) A -S_fsm_rst)) in 
let s_fsm_scs = (new_S_fsm_state = SCS) in 

let new _P_addr = ((-P_rqt) => (SUB ARRAY L_ad_in (25,0)) I P_addr) in 
let new_P_destl = ((-P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in 
let new_P_be_ = ((~P_rqO => L_be_ I P_be J in 
let new_P_wr = ((-P_rqt) => L_wr I P_wr) in 
let new_P_size = 

((-P_rqt) => (SUB ARRAY L_ad_in (1,0)) I 
((P_down) => (DECN 1 P_size) I P_size)) in 
let new_C_holdA_ = ((ClkD) => C_hold_ I C_boldA_) in 

let i_cale_ = -((new_C_mfsm_state = CM A3) A (new_P_fsm_state = PA) A new_C_boldA_) in 
let c_srdy_en = ((new_C_efsm_state = CEE) V (C_efsm_state = CEE)) in 
let new_M_count = 

(((new_M_fsm_state = MA) V (new_M_fsm_state = MBW)) => ((M_se) => (WORDN 1) I (WORDN 2)) I 
(((new_M_fsm_state = MW) V (new_M_fsm_state = MR)) => (DECN 2 M_count) I M_count)) in 
let m_idy = (((new_M_fsm_state = MW) A (new_M_count = (WORDN 0))) 

V ((new_M_fsm_state = MR) A (new_M_count = (WORDN 0)) A ~M_wr)) in 
let m_srdy_ = -((M_rdy A -M_wr) V (m_rdy A M_wr)) in 

let i_srdy_ = ((~i_cale_ V c_srdy_en) => ~(C_wrdy V C_rrdy V ( new_C_mfsm_state = CMABT)) I 
~(new_M_fsm_state = MI) => m_srdy_ I 

((new_R_fsm_state = RA) V (new_R_fsm_state = RD)) => ~((R_fsm_state = RA) A (new_R_fsm_state = RD)) I 
ARB) in 

let p_ale = (~L_ads_ A L_den_) in 

let p_sack = ((P_size = ((P_down) => (WORDN 1) I (WORDN 0))) A ~i_srdy_ A (new_P_fsm_state = PD)) in 
let new_P_rqt = 

((p_ale A ~(p_sack V reset^piu)) => T I 
((~p_ale A (p__sack V reset_piu)) => F I 
((~p_ale A ~(p_sack V reset_piu)) => P_rqt I ARB))) in 
let new_P_down = (~i_srdy_ A (new_P_fsm_state = PD)) in 
let new_P_male_ = ((new_P_fsm_sUte = PA) => 

~(~new_P_destl A (-((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A new_P_rqt) I P.maleJ in 
let new_P_rale_ = ((new_P_fsm_state = PA) => 

-(~new_P_destl A ((SUB ARRAY new_P_addr (25 04)) = (WORDN 3)) A new_P_rqt) I P.raleJ in 
let new_P_lock_ = 

((reset _piu) => T I 

((new_P_fsm_state = PD) => L_lock_ I P JockJ) in 
let new JMock_inh_ = 

((reset^piu) => T I 

((~new_P_male_ V -new_P_raleJ => LJock_ I P_k)ck_inh_)) in 
let pod31_27 = (M ALTER ARBN (31,27) new_P_beJ in 
let pod31_26 = (ALTER pod31_27 (26) F) in 

let pod3 1_24 = (M ALTER pod31_26 (25,24) (SUBARRAY new_P„addr (1,0))) in 
let new_C_iad_en_s_delA = ((ClkD) => C Jad_en_s_del I C_iad_en_s_delA) in 
let new_C_sizewrbe = ((reset_cport) => (WORDN 0) l 

(((new_C_sfsm_state = CS AO) A C_clkA) => (SUB ARRAY CJi atajn (3 1 ,22)) I C.sizewrbe)) in 
let c_new_ write = (((-(new_C_mfsm_state = CMI)) A (~(new_C jnfsm.state = CMR))) => 

C_wr I (ELEMENT new_C_sizewrbe (5))) in 
let new_C_iad_out = ((C_cin_2_le) => C_data_in I C_iad_out) in 
let r_reg_sel = ((~R_srdy_delJ => (INCN 3 R_reg_sel) I R_reg_sel) in 
let new_R_icr = 

((R_icrJoad) => 
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((~(r_reg_sel = (WORDN 1))) => (Ando rep (R_icr_old, R_icr_mask)) I (Ora rep (R_icr_old, R_icr_mask))) I 
R_icr) in 

let new_R_busA_latch = 

((R_ctrO_irden) => R_ctrO_in I 
((R_ctrO_orden) => R_ctrO_out I 
((R_ctrl_irden) => R_ctrl_in I 
((R_ctrl_orden) => R_ctrl_out I 
((R_ctr2_irden) => R_ctr2_in I 
((R_ctr2_ordeo) => R_ctr2_out I 
((R_ctr3_irden) => R_ctr3_in I 
((R_ctr3_orden) => R_ctr3_out I 
((R_icr_rden) => new_R_icr I 
((R_ccr_rden) => R_ccr I 
((R_gcr_rden) => R_gcr I 
((R_» jdco) => R_sr I ARB)))))))))))) in 
let i_ad = ((new_P_fsm_state * PA) => pod31_24 1 

( ( ne w_P_f sm_state = PD) A new_P_wr) => L_ad_in I 
(new_C_iad_en_s_delA V 

(( new_C_mfsm_state = CMD1 ) A -c_new_write A c_srdy_en) V 
(( Dew_C__mfsm_state = CMDO) A ~c_new_write A c_srdy_en) V 

((new_C_mfsm_state = CMW) A (C_mfsm_state = CMDO) A -c_new_write A c_srdy_en) V 
((new_C_sfsm_state * CSALE) A (~(C_sfsm_state = CSALE))) V 
((new_C_sfsm_state = CSALE) A c_new_write) V 

((new_C_sfsm_state = CSDi) A c_new_write A (~{C_sfsm_state = CSRR))) V 
((new_C_sfsm_state = CSDO) A c_new_ write) V 
((new_C_sfsm_state = CSACK) A c_new_ write)) => new_C _iad_out I 
(M_wr A ~(new_M_fsm_state = MI)) => M_rd_data I 

(-R_wr A ((new_R_fsm_state = RA) V ( ne w_R_fsm_state = RD))) => new_R_busA_latch I ARB) in 
let disable_writes = ( ( ~(ne w_C_s fsm_state = CSI)) A ( ~(new_C_sfsm_state = CSL)) A 
-((ChannellD = (WORDN 0)) A (ELEMENT C.source (6))) A 
-((ChannellD = (WORDN 1 )) A (ELEMENT C.source (7))) A 
-((ChannellD = (WORDN 2)) A (ELEMENT C_ source (8))) A 
-((ChannellD = (WORDN 3)) A (ELEMENT C.source (9)))) in 

let i_rale_ = 

(-(new_P_fsm_state = PH) => 

-(-new_P_destl A ((SUB ARRAY new_P_addr (25,24)) = (WORDN 3)) A (new_P_fsm_state = PA) A new_P_rqt) I 
- ( ( new_C_sfsm_state = CSALE) A ((SUB ARRAY new_C_sizewihe (1,0)) = (WORDN 3)) A C.clkA)) in 
let new_R_wr = ((-i_rale_) => (ELEMENT i_ad (27)) I R_wr) in 
let r_writeB = (~disable_writes A new_R_wr A ( oew_R_fsm_state = RD)) in 
let r _readB = (-new_R_wr A (new_R_fsm_state = RA)) in 
let new_R_gcr = ((r_writeB A (r__reg_sel = (WORDN 2))) => i_ad I R_gcr) in 
let new_R_gcr_rden = (r.readB A (r_reg_sel = (WORDN 2))) in 
let gcrl = (ELEMENT new_R_gcr (0)) in 
let gcrh = (ELEMENT new_R _gcr (1 )) in 
let reset_error = (ELEMENT new_R_gcr (24)) in 
let piu_invalid = (ELEMENT new_R_gcr (28)) in 

let cout_sel0 = (ALTER ARBN (0) (((new_C_sfsm_state = CSDI) V (new_C_s fsm_state = CSDO)) => 

(new_C_sfsm_state = CSDI) I 

( ne w_C_mfsm_state = CM A3) V (new_C_mfsm_state = CMA1 ) 

V (new_C_mfsm_state = CMD1))) in 
let c_cout_sel = (ALTER cout_sel0 (1) (((new_C_sfsm_state = CSDI) V (new_C_sfsm_state = CSDO)) => 

F! 

(new_C_mfsm_state = CM A3) V (new_C_mfsm_state = CMA2))) in 
let new_C_hold_ = ( new_C_sf sm_s tate = CSI) in 
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let new_C_wr = ((~i_cale_) => (ELEMENT i_ad (27)) I C_wt) in 
let new_C_clkA = ClkD in 
let i_last_ » 

(~(new_P_fsm_state = PH) => 

(P^size = ((P_down) => (WORDN 1) I (WORDN 0))) I 
CJast_outJ in 

let new_C_last_in_ - ((reset_cport) => F I 

(((new_C_mfsm_state = CMABT) V (new_C_mfsm_state = CMD1) A ClkD) => 1 _last_ I 
C_last_in_» in 

let new_CJock_in_ = ((reset_cport) => F I 

((Dew_C_mfsna_state = CMA1) => ~(~new_P_lock_ A new_P_lock_inh_) I 

C_lock_in_)) in 

let new_C_ss = (((~(new_C_mfsm_state = CMABT)) A Hnew_C_mfsm_state = CMI))) => CB_ss_in 1 C_ss) in 
let new_C_last_out_ = 

(((new_C_sfsm_state = CSA1) A -(ClkD A ((CB_ms_in = A MEND) V (CB_ms_in = A M ABORT)))) => T I 
((~(new_C_sfsm_state = CS Al) A (ClkD A ((CB_ms_in = A MEND) V (CB_ms_in = A MABORT)))) => F I 
((-(new_C_sfsm_state = CSA1) A -(ClkD A ((CBjns Jn = A MEND) V (CB_ms_in = A MABORT)))) => C_last_out_ 
ARB))) in 

let c_srdy = (CB_ss_in = A SRDY) in 

let c_dfsm_master = ((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state = CMA1) 

V (new_C_mfsm_state = CMAO) V (new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMDO)) in 
let c_dfsm_cad_en = -((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMAO) 

V (oew_C_mfsm_state = CM A2) 

V (c_new_write A ((new_C_mfsm_state = CMD1 ) V (new_C_mfsm_state = CMDO))) 

V (-c_new_write A ((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSDO)))) in 
let new_C_cout_0_le_del = ((i_cale J V (i_srdy_ A -c_new_write) 

V ((new_C_mfsm_state = CMAO) A c_srdy A c_new_write A ClkD) 

V ((new_C_mfsm_state = CMDO) A c_new_write A c_srdy A ClkD)) in 
let new_C_cin_2_le = (ClkD A (((new_C_mfsm_state = CMDO) A c_srdy A -c_new_write) V 

((new_C_sfsm_state = CSAO)) V 
((new_C_sfsm_state = CSDO) A c_new_write))) in 

let new_C_mrdy_del_ = -((-c_new_write A ClkD A ((new_C_sfsm_state = CSALE) V (new_C_sfsm_state = CSD1 ))) V 
(~c_new_ write A C_clkA A (oew_C_sfsm_state = CSACK)) V 
(c_new_write A ClkD A (new_C_sfsm_state = CSDO))) in 
let new_C_iad_en_s_del * (((new_C_sfsm_state = CSALE) A ( ~(C_sfsm_state = CSALE))) 

V ((new_C_s fsm_state = CSALE) A c_new_write) 

V ((new_C_sfsm_state = CSD1) A c_new_write A (~(C_sfsm_state = CSRR))) 

V ( (new_C_sfsm_state = CSDO) A c_new_write) V 
((new_C_sfsm_$tate = CSACK) A c_new_write)) in 

let new_C_wrdy = (c_srdy A c_new_write A ( new_C_mfsm_state = CMD1) A ClkD) in 
let new C_rrdy = (c_srdy A ~c_new_wnte A (new_C_mfsm_state = CMDO) A ClkD) in 
let c_pe = (Par_Det rep (CB_ad_in)) in 

let c_m parity « ((new_C_mfsm_state = CM A3) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMAO) 

V (new_C_mfsm_state = CMA2) V ( oe w_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMDO) 

V (C_mfsm_state = CMA1) V (C_mfsm_state = CMAO) V (C_mfsm_state = CM A2) 

V (C_mfsm_state = CMD1)) in 

let c_sparity = ((-(new_C_sfsm_state = CSI)) A (~(new_C_sfsm_state = CSACK)) A (~(new_C_sfsm_state = CSABT))) in 
let c _pe_cnt = (ClkD A ((-(c_mpanty = c_sparity)) V ((SUB ARRAY CB_sx_m (1,0)) = (WORDN 0)))) in 
let new_C ^parity = 

(((ClkD A c_pe A c_pe_cnt) A ~reset_error) => T I 
((-(ClkD A c_pe A c_pe_cnt) A reset_error) => F I 
((-(ClkD A c_pe A cj>e_cnt) A ~reset_eiror) => C^parity I ARB))) in 
let new_C_source = 

((reset_cport) => (WORDN 0) I 
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((ClkD A ((new_C_sfsm_statc = CSI) V (uew_C_sfsm_state = CSL))) => Par_Dec rep (CB_ad_in) I C_source)) in 
let data_in31_16 = 

(MALTBR ARBN (31,16) ((reset_cport) => (WORDN 0) I 

((ClkD A (((new_C_mfsm_state = CMD1) A c_srdy A -c_new_write) V 
((new_C_sfsm_state = CSA1)) V 

((new_C_sfsm_state = CSD1 ) A c_new_write))) => Par_Dec rep (CB_ad_in) I 
(SUB ARRAY C_data_in (31,16))))) in 

let new_C_data_in = 

(MALTER data_in31_16 (15,0) ((reset_cport) => (WORDN 0) I 

((new_C_cin_2_le) => Par_Dec rep (CB_ad_in) I 
(SUBARRAY C_data_in (15,0))))) in 
let new_C_iad_in = ((new_C_cout_0_le_del) => i_ad I C_iad_in) in 
let new_C_alaO = 

(((c_dfsm_jnaster A C_co ut_0_le_del ) V 

( -c_dfsm_master A C_clkA A (new_C_sfsm_state = CSD1))) => C_iad_in I C_alaO) in 
let new_C_a3a2 = (( new_C_mf sm_state = CMR) => R_ccr I C_a3a2) in 
let i_be_ = ((new_P_fsm_state = PA) => oew_P_be_ I 

(new_P_fsm_state = PD) => L_be_ I SUBARRAY new_C_sizewrbe (9,6)) in 
let i_male_ = 

(~( new_P_fsm_state = PH) => 

-(-new_P_destl A (-((SUB ARRAY new_P_addr (25,24)) = (WORDN 3))) A (new_P_fsmjstate = PA) A new_P_rqt) I 
~((new_C_sfsm_state = CSALE) A (-((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C_clkA)) in 
let new_M_se = ((-Lmale _) => (ELEMENT i_ad (23)) I M_se) in 
let new_M_wr = ((-i_male_) => (ELEMENT i_ad (27)) I M_wr) in 
let new_M_addr = 

((-Lmale J => (SUB ARRAY i_ad (18,0)) I 
((M_rdy) => (1NCN 18 M_addr) I M^addr)) in 
let new_M_be = ((~i_male_ V -m_srdy_) => (NOTN 3 i_be_) I M _be) in 
let new_M_rdy = m_rdy in 

let new_M_wwdel = ((new_M_fsm_state * MA) A oew_M_wr A (new_M_be = (WORDN 15))) in 
let new_M_rd_data = (((new_M_fsm„state = MR)) => (Ham_Dec rep MB_data_in) I M_rd_data) in 
let new_M_detect = 

( (( (ne w_M_fsm_state = MR) A ~new_M_wr) V new_M_wr V (new_M_fsm_state * Ml)) => 

((-Edac_en_) => (Ham_Detl rep MB_data_in) I WORDN 0) I M_detect) in 
let m_error = (-m_srdy_ A ( ~(new_M_fsm_state = MI)) A Ham_Det2 rep (new _M_detect, -Edac_en_)) in 
let new_M_parity = 

((m_error A -(resetjpiu V reseLerror)) => T I 
((-m_error A (reset_piu V reset_etTor)) => F I 
((-m_error A -(reset_piu V reset_error)) => M_parity I ARB))) in 
let new_R_cntlatch_del = r_fsm_cntlatch in 
let new_R_srdy_del_ = r_fsm_srdy_ in 
let newR reg sel = 

((-i.ralej => (SUBARRAY Lad (3,0)) I 
((-R_ardy_del_) => (INCN 3 R _reg_sel) I R _jeg_sel)) in 
let r_writeA = (~disable_ writes A R_wr A ( ne w_R_fsm_state = RD)) in 
let r _readA = (~R_wr A (new_R_fsm_state = RA)) in 

let r_cir_wi01A = ((r_writeA A ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in 
let r_cirjwi01B = ((r_writeB A ((r_reg_sel = (WORDN 8)) V (r _jeg_sel = (WORDN 9))))) in 
let r_cir_wr23A = ((r_ write A A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in 
let r_cir_wr23B = ((r.writeB A ((r_reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in 
let new_R_ccr = ((r_writeB A (r_reg_sel = (WORDN 3))) => i_ad I R_ccr) in 
let new_R_ccr_rden = (r_readB A (r_reg_sel = (WORDN 3))) in 
let new_R_c01_cout_del = R_ctrl_cry in 
let new_R_intl_en = 
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((((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT ncw_R_gcr (16))))) A 
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => T I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT oew_R_gcr (16))))) A 
(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => F I 
((-((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A 
-(-(ELEMENT new_R_£cr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => R Jntl_en I ARB))) in 
let new_R_c23_cout_del = R_ctr3_cry in 
let new_R_int2_en = 

((((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_£cr (21 )) A R_c23_cout_del))) => T I 
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => F I 
((-((ELEMENT new_R_gcr (22)) A (r_eir_wr23B V (R_ctr3_cry A (ELEMENT new_R_gcr (20))))) A 
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_cout_del))) => RJnt2_en I ARB))) in 
let new_R_ctrO_in = ((r_writeB A (r_reg_sel = (WORDN 8))) => i_ad I R_cbO_in) in 
let new_R_ctrO_mux_sel = (r_cir_wr01B V ((ELEMENT new_R_gcr (16)) A R_ctrl_cry)) in 
let new_R_ctrO_irden = (r_readB A (r_reg_sel = (WORDN 8))) in 
let new_R_ctrO = ((R_ctrO_mux_sel) => R_ctiO_in I R_ctrt)_new) in 
let new_R_ctiO_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_chO) I R_ctiO) in 
let new_R_ctiO_cry = ((ONES 31 R_cttO) A (ELEMENT new_R_gcr (19))) in 
let new_R_ctrO_oul = ((r_fsm_cntlatch) => R_ctrO_new I R_ctrO_out) in 
let new_R_ctrO_orden = (r_readB A (r_reg_sel = (WORDN 12))) in 
let new_R_ctrl_in = ((r_writeB A (r_reg_sel = (WORDN 9))) => i_ad I R_ctrl_in) in 
let new_R ctrl_mux_sel = (r_cir_wr01B V ((ELEMENT new_R_ gcr (16)) A R_ctrl_cry)) in 

let new_R_ctr l_irden = (r_readB A (r_reg sel — (WORDN 9))) in 

let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in I R_ctrl_new) in 

let new_R_ctrl_new = ((R_ctrO_cry) => (INCN 31 R_ctrl) I R_ctrl ) in 

let new_R_ctrl_cry = ((ONES 31 R_ctrl) A R_ctrO_cry) in 

let new_R_ctrl_out = ((R_cntlatcb_del) => R_ctrl_new I R_ctrl_out) in 

let new_R_ctr l_orden = (r_readB A (r_reg_sel = (WORDN 13))) in 

let new_R_ctr2_in = ((r_writeB A (r reg sel = (WORDN 10))) => i_ad I R_ctr2_in) in 

let new_R_ctr2_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) A R_ctr3_cry))) in 

let new_R_ctr2_irden = (r_readB A (r_reg_sel = (WORDN 10))) in 

let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in I R_ctr2_new) in 

let new_R_ctr2_new = (((ELEMENT new_R_gcr (23))) => (INCN 31 R_ctr2) I R_ctr2) in 

let new_R_ctr2_cry = ((ONES 31 R_cti2) A (ELEMENT new_R_gcr (23))) in 

let new_R_ctt2_out = ((r_fsm_cntlatch) => R_ctr2_new I R_ctr2_out) in 

let new_R_ctr2_orden = (r_readB A (r_reg_sel = (WORDN 14))) in 

let new_R_ctr3_in = ((r_writeB A (r reg sel = (WORDN 11))) => i_ad I R_ctr3_in) in 

let new_R_ctr3_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) A R_ctr3_cry))) in 

let new_R_ctr3_iideo = (r_readB A (r_reg_sel = (WORDN 11))) in 

let new_R_ctr3 = ((R_ctr3_mux_sel) => R_ctr3_in I R_ctx3_new) in 

let new_R_ctr3_new = ((R_ctr2_ciy) => (INCN 31 R_cti3) I R_ctr3) in 

let new_R_ctr3_cry = ((ONES 31 R_ctr3) A R_ctr3_cry) in 

let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new I R_ctr3_out) in 

let new_R_ctr3_orden = (r_readB A (r_reg_sel = (WORDN 15))) in 

let new_R_icr_load = (r.writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in 
let new_R_icr_old = 

((r_writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) => R_icr I R_icr_old) in 
let new_R Jci_mask = 

((r_writeB A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1 )))) => i_ad I R_icr_mask) in 
let new_R_icr_rden = ((new_R_fsm_state = RA) A ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1 )))) in 
let r_intO_en = (((ELEMENT RJcr (0)) A (ELEMENT R_icr (8))) V 
((ELEMENT RJcr ( 1 )) A (ELEMENT RJcr (9))) V 
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((ELEMENT R_icr (2)) A (ELEMENT RJcr (10))) V 
((ELEMENT RJcr (3)) A (ELEMENT RJcr (11))) V 
((ELEMENT RJcr (4)) A (ELEMENT RJcr (12))) V 
((ELEMENT RJcr (5)) A (ELEMENT RJcr (13))) V 
((ELEMENT RJcr (6)) A (ELEMENT RJcr (14))) V 
((ELEMENT RJcr (7)) A (ELEMENT RJcr (15)))) in 
let new_R_intO_dis = rjnt0_en in 

let r Jnt3_en = (((ELEMENT RJcr (16)) A (ELEMENT RJcr (24))) V 
((ELEMENT RJcr (17)) A (ELEMENT RJcr (25))) V 
((ELEMENT RJcr (18)) A (ELEMENT RJcr (26))) V 
((ELEMENT RJcr (19)) A (ELEMENT RJcr (27))) V 
((ELEMENT RJcr (20)) A (ELEMENT RJcr (28))) V 
((ELEMENT RJcr (21)) A (ELEMENT RJcr (29))) V 
((ELEMENT RJcr (22)) A (ELEMENT RJcr (30))) V 
((ELEMENT RJcr (23)) A (ELEMENT RJcr (31)))) in 
let new J<_int3_dis = r_int3_en in 

let new_S_soft_shot_del = (~gcrb A gcrl) in 
let s_soft_cot_out a 

((s Jsm_srs) => 

((gcrl A -gcrb A ~S_soft_shot_del) => (WORDN 1) I (WORDN 0)) I 
((gcrl A -gcrh A -S_soft_shot_del) => (INCN 2 S_soft_cnt) I S_soft_cnt)) in 
let new_S_soft_cnt = ((-gcrh A -gcrl) => (WORDN 0) I s_soft_cnt_out) in 
let s_delay_out = 

((s_fsm_src V (sjsm_scs A (ELEMENT S_delay (6)))) => 

((s _fsm_sec) => (WORDN 1) I (WORDN 0)) I 
((s_fsm_sec) => (INCN 17 $_delay) I S_delay)) in 
let new_S_delay = s_delay_out in 

let s_cpuO_ok = (s_fsm_scOf A Failure0_ A (s_soft_cnt_out = (WORDN 5))) in 
let s_cpul_ok = (s_fsm_sclf A Failure 1_ A (s_soft_cnt_out = (WORDN 5))) in 
let new_S_pmm_fail = 

((s_fsm_sb A ~s_fsm_spmf) =» T I 
((~sjsm_sb A s_fsm_spmf) => F I 
((~sjsm_sb A -s_fsm_spmf) => S_pmm_fail I ARB))) in 
let new_S_cpuO_fail = 

((s_fsm_sb A -(s_cpuO_ok V Bypass)) => T f 
((~sjsm_sb A (s_cpuO_ok V Bypass)) => F I 
((~s_fsm_sb A ~(s_cpuO_ok V Bypass)) => S_cpuO_fail I ARB))) in 
let new_S_cpul_faii = 

((s_fsm_sb A -(s_cpul_ok V Bypass)) => T I 
((~s_fsm_sb A (s_cpul_ok V Bypass)) => F I 
((-s_fsm„sb A ~(s_cpul_ok V Bypass)) => S_cpul Jail I ARB))) in 
let new_S_piu_fail - 

((s_fsm_sb A ~(s_fsm_spf V Bypass)) => T I 
((~s_fsm_sb A (s_fsm_spf V Bypass)) => F I 
((-s_fsm_sb A -(s_fsm_spf V Bypass)) => S_piujail I ARB))) in 
let s_cpuO_select = ((s_fsm_sn V s_fsm_so) A ~S_cpuO_fail) in 
let s_cpul_select = ((s _fsm_sn V s_fsm_so) A S_cpuO_fail A ~S_cpui_fail) in 
let new_S„b ad_cpuO = 

((s_fsm_sb A -s_cpuO_select) => T I 
((~s_fsm_sb A s_q?u0_8elect) => F I 

((-s_fsm_sb A ~s_cpuO_select) => S_bad_cpuO I ARB))) in 
let new_S_bad_cpu 1 = 

((s_fsm_sb A -s_cpul_select) => T I 
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((~s_fsm_sb A s_cpul_select) => F I 
((~s_fsm_sb A ~s_cpul_select) => S_bad_cpul I ARB))) in 
let new_S_reset_cpuO = (new_S_bad_cpuO A s_fsm_srcO) in 
let new_S_reset_cpul = (new_S_bad_cpul A s_fsm_srcl ) in 
let new_S_cpu_hist = (S_reset_cpuO A S_reset_cpul A Bypass) in 
let ssO = (ALTER ARBN (0) ((new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) 

V (new_S_fsm_staie = SCS) V (new_S_fsm_state = SN) 

V (new_S_fsm_state = SO))) in 

let ssl = (ALTER ssO (1) ((new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SC II) V (new_S_fsm_state = SC IF) 

V (new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) 

V ( ne w_S_fsm_state = SCS))) in 

let ss2 = (ALTER ssl (2) ((new_S_fsm_state = SPF) V (new_S_fsm_state = SCOI) 

V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) 

V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SO))) in 
let ss3 = (ALTER ss2 (3) ((new_S_fsm_state = SR A) V (new_S _fsm_state = SPF) 

V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1I) 

V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) 

V (new_S_fsm_state = SO))) in 

let s_state = ss3 in 

let sr28 = (ALTER ARBN (28) new_M_parity) in 

let sr28_25 = (M ALTER sr28 (27,25) new _C_ss) in 

let sr28_24 = (ALTER sr28_25 (24) new_C_panty) in 

let sr28_22 = (M ALTER sr28_24 (23,22) ChannellD) in 

let sr28 _16 = (M ALTER sr28_22 (21,16) Id) in 

let sr28_12 = (MALTER sr28_16 (15,12) s_state) in 

let sr28_9 = (ALTER sr28_12 (9) new_S_pmm_fail) in 

let sr28_8 = (ALTER sr28_9 (8) new_S_piu_fail) in 

let si28_3 = (ALTER sr28_8 (3) new_S_reset_cpul) in 

let sr28_2 = (ALTER sr28_3 (2) new_S_reset_cpuO) in 

let sr28_l = (ALTER sr28_2 (l)new_S_cpul_fail) in 

let sr28_0 = (ALTER sr28__l (0) oew_S_cpuO_fail) in 

let new_R_st = ((r_fsm_cntlatcb) => sr28_0 1 R_sr) in 

let new_R_sr_rden = (r_readB A (r_reg_sel = (WORDN 4))) in 

let new _P_fsm_rst = reset_piu in 
let oew_P_fsm_sack = p_sack in 

let new_P_fsm_cgnt_ = ~(new_C_mfsm_state = CMA3) in 

let new_P_fsm_hold_ = new_C_holdA_ in 

let new_C_mfsm_D = ClkD in 

let new_C_mfsm_rst = reset_cport in 

let new_C_mfsm_crqt_ = ~(new_P_destl A new_P_rqt) in 

let new_C_mfsm_hold_ = new_C_boldA_ in 

let new_C_mfsm_ss = CB_ss_m in 

let new_C_mfsm_invalid = piu_invalid in 

let new_C_sfsm_D = ClkD in 

let new_C_sfsm_rst = reset_cport in 

let new_C_sfsm_blda„ = ~(new_P_fsm_state = PH) in 

let new_C_sfsm_ms = CB_ms_in in 

let new_C_efsm_cale_ = i_cale_ in 

let new_C_efsm_last_ = i_last_ in 

let new_C_efsm_male_ = i_male_ in 

let new_C_efsm_rale_ = i_rale_ in 

let new_C_efsm_srdy_ = i_srdy_ in 
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let new_C_efsm_rst = reseLcport in 
let new_M_fsm_male_ = i_male_ in 
let new_M_fsm_last_ = i_last_ in 

let new_M_fsm_mrdy_ = ((-(P_fsm_state = PH)) => F I C_mrdy_del_) in 
let new_M_fsm_rst = reset_piu in 
let new_R_fsm_ale_ = i_rale_ in 

let new_R_fsm_mrdy_ = ((~(P_fsm_state = PH)) => F 1 C_mrdy_del_) in 
let new_R_fsm_Jast_ = i_last_ in 
let new_R_fsm_rst = reset_j>iu in 
let new_S_fsm_rst = Rst in 

let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in 

let new_S_fsm_delay 1 7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in 
let new_S_fsm_bothbad = ( new_S _c puO_fail A new_S_cpul_fail) in 
let new_S_fsm_bypass = Bypass in 

let L_ad_out = (((~(new_P_fsm_state = PA)) 

A ( -( new_P_fsm_state - PH)) 

A ~((new_P_fsm_state = PD) A new_P_wr)) => i_ad I ARBN) in 
let L_ready_ = ~(~i_srdy_ A (new_P_fsm_state = PD)) in 
let CB_rqt_out_ » -( ~(new_C_mfsm_state = CMI)) in 

let msO = (ALTER ARBN (0) (((new_C_ J mfsm_state = CM DO) A -CJastJnJ V 

((new_C_mfsm_state = CMW) A C _lock_in_) V 
(new_C_mfsm_state = CMABT))) in 

let mslO = (ALTER msO (1) (((new_C_mfsm_state = CMA1) V ( new_C_mf sm_state = CMAO) V 
(new_Cjnfsm_state = CMA2) V (new_C _mfsm_state = CMD1) V 
(( new_C_mfsm_state = CMDO) A CJast_in_) V (new_C_mfsm_state = CMW) V 
(new_C_mfsm_state = CMABT)))) in 

let ms210 = (ALTER ms 10 (2) (((new_C_mfsm_state = CMA3) V ( new_C_mfsm_state = CMA1) V 

(new_C _mfsm_state = CMAO) V (new_C _jnfsm_state = CMA2) V 
(new_C _mfsm_state = CMD1 ) V (new_C _mfsm_state = CMDO) V 
(new_C_mfsm_state = CMW) V ( ne w_C_mfsm_state = CMABT)) A 

~new_Sj3mm_fail A -(ELEMENT new_R_gcr (28)))) in 
let CB_ms_out = (((~(new_C_mfsm_state = CMI)) A (~(new_C_mfsm_state = CMR))) => ms210 I ARBN) in 
let ssO = (ALTER ARBN (0) ((new_C_sfsm_state = CS AOW) V 

((new_C_sfsm_state = CSALE) A -c_new_write) V 
(new_C_sfsm_state = CSACK))) in 
let sslO = (ALTER ssO (1) ~(new_C_sfsm_state = CSACK)) in 
let ss210 = (ALTER sslO (2) (-new_S _pmm_fail A -(ELEMENT new_R_gcr (28)))) in 
let CB_ss_out = (((~(new_C_sfsm_state = CSI)) A (~(new_C_sfsm_state = CSABT))) => ss210 I ARBN) in 
let CB_ad_out = ((c_dfsm_cad_en) => 

((c_cout_sel = (WORDN 0)) => Par_Enc rep (SUBARRAY new_C_alaO (15,0)) I 
((c_cout_sel = (WORDN 1)) => Par.Enc rep (SUBARRAY new_C_alaO (31,16)) I 
((c_cout_sel = (WORDN 2)) => Par_Enc rep (SUB ARRAY new_C_a3a2 (15,0)) I 
Par.Enc rep (SUB ARRAY new_C_a3a2 (31,16))))) I ARBN) in 
let MB_addr = ((M_idy) => (INCN 18 M_addr) I M_addr) in 

let mb_data_7 J) = (((ELEMENT M_be (0))) => (SUBARRAY i_ad (7,0)) I (SUBARRAY M^d.data (7,0))) in 
letmb_data_15_8 = (((ELEMENT M_be (1))) => (SUBARRAY Lad (15,8)) I (SUBARRAY M_rd_data (15,8))) in 
let mb_data_23_l 6 = (((ELEMENT M_be (2))) => (SUB ARRAY i_ad (23,16)) I (SUBARRAY M__rd_data (23,16))) in 
let mb_data_3 1_24 = (((ELEMENT M.be (3))) => (SUBARRAY Lad (31,24)) I (SUBARRAY M^rd_data (31,24))) in 
let mb_data = ((M ALTER (M ALTER (M ALTER (MALTER ARBN (7,0) mbdataJM)) 

(15,8) mb__data_l 5_8) 

(23,16) mb_data_23_16) 

(31,24) mb_data_3 1 _24)) in 

let MB_data_out = ((new_M_fsm_state = MW) => (Ham_Enc rep mb__data) I ARBN) in 
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let MB_cs_eeprom_ = ~((~(new_M_fsm_state = MI)) A ~new_M_se) in 
let MB_cs_sram_ = -( ( -( ne w_M_f sm_s tate = MI)) A new_M_se) in 
let MB_we_ = ~((new_M_se V ~(-(new_M_fsm_state = MI)) V -reset_cpoit) 

A -disable.. writes 

A ( (new_M_fsm_state = MBW) V (new_M_fsm_state = MW) V new_M_wwdel)) in 
let MB_oe_ = -((~new_M_wr A (new_M_fsm_state = MA)) V (new_M_fsm_state = MR)) in 
let disable.int = (-(s_fsm_sn A (ELEMENT s_delay_out (6))) A s_fsm_sdi 

A ((Test) => -(ELEMENT s_delay_out (5)) I -(ELEMENT s_delay_out (16)))) in 
let IntO_ = ~(r_intO_en A -R_intO_dis A -disable Jnt) in 
let Inti = (R_ctrl_cry A new_R_intl_en A -disable_int) in 
let Int2 » (R_ctr3_cry A new_R_int2_en A -disable Jnt) in 
let Int3_ = -(rjnt3_en A -R Jnt3_dis A -disable_int) in 
let Led = (SUBARRAY new_R_gcr (3,0)) in 
let Reset_cpuO = new_S_reset_cpuO in 
let Reset_cpul = new_S_reset_cpul in 
let Cpu_hist = new_S_cpu_hist in 
let Piu_fail = new_S_piu_fail in 
let Cpu0_fail = new_S_cpuO_fail in 
let Cpul_fail = new_S_cpul_fail in 
let Pmm_fail = new_S_pmm_fail in 

(L_ad_out, L_ready_, 

CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, 

MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, 

Int0_, Inti, Int2, Int3_, Led, 

Reset_cpuO, Reset_cpul, Cpujiist, Piu_fail, CpuO_fail, Cpul_fail, Pmm_faiir 

);; 

close_theory();; 
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